Cisco ASA admin access

Posted on November 13, 2010

0



The first step of installing a firewall is to setup the management access of it. Weak protocols like telnet should not be used. if something need to communicate with the firewall, that should be secured. Just another example the logging methods. The syslog itself is again a clear text communication method and should be avoided. Cisco now supports secure logging with syslog. The “secure” keyword in the logging host command specifies that the connection to the remote logging host should use SSL/TLS for TCP only. Secure logging does not support UDP.

1. Set the enable password and optionally a local user.

One local user would be important. If the access to all authentication servers is dead, you still have to have access.
Privileged level 15 is required for ASDM access.

(config)# enable password YourEnablePassword
(config)# username YourUsername password YourPassword privilege 15

2. Generate RSA keypair.

(config)# hostname FirewallHostname
(config)# domain-name YourDomainName

The size of the key will be here 2048 bit, but you can choose other one from the list:
1024 bits
2048 bits
512 bits
768 bits

(config)# crypto key generate rsa label YourKeypairName modulus 2048 noconfirm

In PIX Version 6 we had to save the rsa key with
PIX 6.x Firewall(config)# ca save all
This command is in version 7 and 8 removed.

3. Define the IP sources those can access the firewall and the authentication method if you do not use local user.
In this example we use an internal IP, 10.10.10.1 from where we can access the firewall.

(config)# ssh 10.10.10.1 255.255.255.255 inside
(config)# aaa authentication ssh console YourAuthGroup LOCAL

4. Configure Authentication groups.
The security appliance supports the following types of AAA servers:

  • Local
  • RADIUS
  • TACACS+
  • SDI (RSA)
  • NT
  • Kerberos
  • LDAP

I have already tested the LDAP and the RSA and the TACACS+. Here I write about the LDAP and SDI only. The Windows NT or Kerberos will I test as well if I get time.

RSA Server config :
The security appliance supports SDI Version 5.0 and 6.0. But it seems to work with 6.1 as well.
Here I define 2 RSA Server with the IP 6.6.6.6 and 6.6.6.7.

(config)# aaa-server YourSDIGroup protocol sdi
(config-aaa-server-group)# aaa-server YourSDIGroup host 6.6.6.6 YourSharedSecret
(config-aaa-server-group)# aaa-server YourSDIGroup host 6.6.6.7 YourSharedSecret

LDAP Server config:
For the LDAP Auth you need to have an LDAP account with password, the base DN of your LDAP and the LDAP Attribute that is used for searching in LDAP.

  1. The LDAP Server IP is 5.5.5.5
  2. The LDAP accountname is “asaadmin” with password “YourLdapPassword”
  3. The LDAP login dn is “cn=asaadmin,o=Admins,dc=YourCompany,dc=com”
  4. The attribute that we are looking for is “userPrincipalName”
(config)# aaa-server YourLDAPGroup protocol ldap
(config)# aaa-server YourLDAPGroup host 5.5.5.5
(config-aaa-server-host)# server-port 1389
(config-aaa-server-host)# ldap-base-dn dc=YourCompany,dc=com
(config-aaa-server-host)#ldap-scope onelevel
(config-aaa-server-host)#ldap-naming-attribute userPrincipalName
(config-aaa-server-host)#ldap-login-password YourLdapPassword
(config-aaa-server-host)#ldap-login-dn cn=asaadmin,o=Admins,dc=YourCompany,dc=com
(config-aaa-server-host)#server-type auto-detect

The beauty of Cisco is that you can check a tons of states of authentication protocols.
If the server status is not ACTIVE, than you have a problem.

# sh aaa-server protocol sdi
Server Group: YourSDIGroup
Server Protocol: sdi
Server Address: 6.6.6.6
Server port: 5500
Server status: ACTIVE, Last transaction at 12:48:32 GMT Sat Nov 13 2010
Number of pending requests 0
Average round trip time 746ms
Number of authentication requests 117
Number of authorization requests 0
Number of accounting requests 0
Number of retransmissions 0
Number of accepts 86
Number of rejects 14
Number of challenges 0
Number of malformed responses 0
Number of bad authenticators 0
Number of timeouts 3
Number of unrecognized responses 0 

SDI Server List:
Active Address: 6.6.6.6
Server Address: 6.6.6.6
Server port: 5500
Priority: 7
Proximity: 2
Status: OK
Number of accepts 40
Number of rejects 6
Number of bad next token codes 0
Number of bad new pins sent 0
Number of retries 0
Number of timeouts 0

Active Address: 6.6.6.7
Server Address: 6.6.6.7
Server port: 5500
Priority: 8
Proximity: 2
Status: OK
Number of accepts 46
Number of rejects 8
Number of bad next token codes 0
Number of bad new pins sent 0
Number of retries 0
Number of timeouts 0

Server Group: YourSDIGroup
Server Protocol: sdi
Server Address: 6.6.6.7
Server port: 5500
Server status: ACTIVE, Last transaction at unknown
Number of pending requests 0
Average round trip time 0ms
Number of authentication requests 0
Number of authorization requests 0
Number of accounting requests 0
Number of retransmissions 0
Number of accepts 0
Number of rejects 0
Number of challenges 0
Number of malformed responses 0
Number of bad authenticators 0
Number of timeouts 0
Number of unrecognized responses 0

SDI Server List:
Active Address: 6.6.6.7
Server Address: 6.6.6.7
Server port: 5500
Priority: 0
Proximity: 0
Status: OK
Number of accepts 0
Number of rejects 0
Number of bad next token codes 0
Number of bad new pins sent 0
Number of retries 0
Number of timeouts 0

The same command for ldap is the following.

# sh aaa-server protocol ldap
Server Group: YourLDAPGroup
Server Protocol: ldap
Server Address: 5.5.5.5
Server port: 1389
Server status: ACTIVE, Last transaction at unknown
Number of pending requests 0
Average round trip time 0ms
Number of authentication requests 0
Number of authorization requests 23
Number of accounting requests 0
Number of retransmissions 0
Number of accepts 0
Number of rejects 23
Number of challenges 0
Number of malformed responses 0
Number of bad authenticators 0
Number of timeouts 0
Number of unrecognized responses 0
Advertisements