ASA Enable Mode Password Configuration

Cisco ရဲ႕ နာမည္ႀကီး Firewall ျဖစ္တဲ႕ ASA Firewall ရဲ႕ enable mode ကို password ေပးရေအာင္။

လြယ္လြယ္ကူကူ Packet Tracer ေလးဖြင့္ ASA တလံုးနဲ႕စမ္းလို႕ရတယ္။

 

ASA ထဲကိုစဝင္လိုက္တာနဲ႕ enable password ေတာင္းတယ္။ Default က Empty Password။
ဘာ password မွမေပးထားပါဘူး။ 
ျပီးရင္ Config Mode ကိုသြား။ Cisco IOS ေတြမွာ password ေပးသလို ေပးရံုပါပဲ။

မတူတာက Default အရ Password ကို Encrypt လုပ္ျပီးလိန္လိုက္တာျဖစ္ပါတယ္။ Secure ျဖစ္တာေပါ့။
Cisco IOS မွာ Password ကိုျပန္ဖ်က္ရင္ no ခံျပီး no enable password လို႕ျပန္ဖ်က္တယ္
ဒီမွာ enable password ျပန္ဖ်က္ရင္ေတာ့နည္းနည္းကြဲပါတယ္။

enable password လို႕ျပန္ရိုက္လိုက္ရံုပါပဲ။  😀

 

ျပီးေတာ့ Cisco IOS မွာ Show command Clear command ေတြကို Comfig Mode မွာ အသံုးျပဳခ်င္တဲ႕အခါ do ခံေနရေပမယ့္ ASA မွာ Show command Clear command ေတြဟာ ဘယ္ Mode မွာမဆိုရိုက္လို႕ရလို႕ Cisco IOS ထက္ပိုအဆင္ေျပတာပါပဲ

Configuration

ciscoasa> enable
Password:   (Hit Enter)    (Default is no password)
ciscoasa# config term
ciscoasa(config)# enable password ip6
ciscoasa(config)# exit
ciscoasa# exit

Logoff
Type help or ‘?’ for a list of available commands.

ciscoasa> enable
Password: ip6  (Now password is ip6)
ciscoasa# show running
: Saved
:
ASA Version 8.4(2)
!
hostname ciscoasa
enable password 8lSpXZezMFKSPK1E encrypted   (By default, password is encrypted)
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
Output Omitted
(Use “q” to brake console CLI.)

ciscoasa# config term
ciscoasa(config)# enable password   (Removing the password)
ciscoasa(config)# show running  (We can use show, clear command in any mode of ASA)
: Saved
:
ASA Version 8.4(2)
!
hostname ciscoasa
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
Output Omitted
ciscoasa(config)#

ခုဆို ASA CLI ကိုနည္းနည္း တီးမိေခါက္မိ ျဖစ္ျပီး Enable Password ေပးတာဖ်က္တာသိသြားျပီ

ASA ဆိုတာကို ဘာမွမသိတာထက္စာရင္ တခုေတာ့ သိသြားျပီ။

ေက်းဇူး။



My Photo1About author
Nyi Nyi Min
, CCNP, CCDP, is a Instructor and Course
Developer on CCNA, CCNP, CCIE. He holds multiple
professional certifications from Cisco Juniper,
Microsoft, VMware, etc.. and worked and supported
several enterprise networks. He is Founder of
IP6 Networks (www.ip6networks.com), where he currently teaches
CCNA, CCNP Classes.


Advertisements

Securing IOS Enable mode CLI

Snapshot from my CCNA teaching note.

• First We creat enable mode security passwords. Two password methods for enable mode are enable password and enable secret. But enable secret is securer than enable password.

• Enable password command stores the password as clear text,  and the only option to encrypt it is the weak service password-encryption command.

• Enable secret command automatically encodes the password, using Message Digest 5 (MD5) hash Before IOS 15 code.

Configuration, Verification & Testing

> Task 1 >>  Let Configure Enable mode Protection Passwords. Both enable secret and enable password will be configured. Let’s see which one IOS will use ?

R1> enable
R1# conf t
R1(config)# enable secret iP6password1
R1(config)# enable password iP6password2
R1(config)# exit
R1# disable
R1> enable
Password: iP6password1  ” Because IOS prefer enable secret than enable password.”
R1# show runn | in enable
enable secret 5 $1$0jxr$Os5Ebw0EAFsSF1hrZDedl/        
enable password iP6password2

> Task 2 >> Let’s delete enable secret. IOS will use enable password only.

R1# conf t
R1(config)# no enable secret
R1(config)# exit
R1# disable
R1> enable
Password: iP6password2
R1# show runn | in enable
enable password iP6password2
R1# show runn | in service password
no service password-encryption  “By default, Password Encryption Services is Disable.”

> Task 3 >> Let’s use Password Encryption Service.

R1# conf t
R1(config)# service password-encryption
R1(config)# exit
R1# show runn | in enable |service password
service password-encryption
enable password 7 110029530713181F132539207A  “Now Password is encrypted by Service”

> Task 4 >> We will remove Password Encryption Service. Let’s check password is Clear Text.

R1# conf t
R1(config)# no service password-encryption
R1(config)# exit
R1# show runn | in enable |service password
no service password-encryption
enable password 7 110029530713181F132539207A  “Although NO Service, Password is still encrypted Before changing it next time. “

> Task 5 >> After changing enable password, We will see password as clear text.

R1# conf t
R1(config)# enable password iP6password3
R1(config)# exit
R1# show runn | in enable |service password
no service password-encryption
enable password iP6password3
R1#

Part 2 LAB Link

Nyi Nyi Min.

System Message Security Level and Example Format

This Simple Explanation from CCNA Official Guide Book is easy to understand System Message Format of Cisco Router. Let ‘s Start.

Let’s examine one of the messages from our Cisco router to examine the default message format:

*Dec 18 17:10:15.079: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to down

Notice that by default on this particular device, we see the following:
A timestamp: *Dec 18 17:10:15.079
The facility on the router that generated the message: %LINEPROTO
The severity level: 5
A mnemonic for the message: UPDOWN
The description of the message: Line protocol on Interface FastEthernet0/0, changed state to down

Turn off timestamps and turn on sequence numbers

R1(config)# no service service timestamps
R1(config)#service sequence-numbers
R1(config)#exit
R1#

000011: %SYS-5-CONFIG_I: Configured from console by console

The message format now features the following:
Sequence number: 000011
Facility: %SYS
Severity level: 5
Mnemonic: Config_I
Description: Configured from console by console

One of the most important ingredients in the system message on a Cisco device is the severity level. This is because we can use severity levels to easily control which messages are sent to which logging destinations.

Level 0 > Emergency > The system may be unusable.
Level 1 > Alert > Immediate action may be required.
Level 2 > Critical > A critical event took place.
Level 3 > Errot > The router experienced an error.
Level 4 > Warning > A confition might warrant attention.
Level 5 > Notification > A normal but significant confition occurred.
Level 6 > Informational > A normal event occurred.
Level 7 > Debugging > The output is a result of a debug command.

Levels 5 through 7 are for less important events.

Layer 2 Security

Port Security  : Limits the number of MAC address to be learned on an access switch port.
BPDU guard   : If BPDUs show up where they should not, the switch protects itself.
Root guard     : Control which ports are not allowed to become root ports to remote root switches.
802.1x              : Authentication users before allowing their data frames into the network.
IP source guard  : Prevents spoofing of Layer 3 information by hosts.
DHCP snooping : Prevents rogue DHCP servers from impacting the network.
Storm control     : Limits the amount of broadcast or multicast traffic flowing through the switch.
Dynamic ARP inspection : Prevents spoofing of Layer 2 information by hosts.
Access control lists          : Traffic control to enforce policy.

Security Lifecycle

Understanding exactly how a security device fits into the network and how it can possibly mitigate rish is an important aspect of network security.

Important to understand is that is never completely done; new attacks and vulnerabilities continuously crop up.

So we can use lifecycle approach to security but never absolutely complete.
Security Lifecycle has five phases;

Initiation : Preliminary risk assessments and categorizing of risk
Acquisition and development : More detailed risk assessment
Implementation : Putting countermeasure in place on the production network
Operations and maintenance : Monitoring
Disposition : Disposing of network gear