Skip to main content

How to configure Cisco ASA firewall with basic configuration


This article gets back to the basics regarding Cisco ASA firewalls. I’m offering you here a basic configuration tutorial for the Cisco ASA 5510 security appliance. This device is the second model in the ASA series (ASA 5505, 5510, 5520 etc) and is fairly popular since is intended for small to medium enterprises. Like the smallest ASA 5505 model, the 5510 comes with two license options: The Base license and the Security Plus license. The second one (security plus) provides some performance and hardware enhancements over the base license, such as 130,000 Maximum firewall connections (instead of 50,000), 100 Maximum VLANs (instead of 50), Failover Redundancy, etc. Also, the security plus license enables two of the five firewall network ports to work as 10/100/1000 instead of only 10/100.
Next we will see a simple Internet Access scenario which will help us to understand the basic steps needed to setup an ASA 5510. Assume that we are assigned a static public IP address 100.100.100.1 from our ISP. Also, the internal LAN network belongs to subnet 192.168.10.0/24. Interface Ethernet0/0 will be connected to the outside (towards the ISP), and Ethernet0/1 will be connected to the Inside LAN switch. Refer to the diagram below for our example scenario.


The firewall will be configured to supply IP addresses dynamically (using DHCP) to the internal hosts. All outbound communication (from inside to outside) will be translated using Port Address Translation (PAT) on the outside public interface. Let’s see a snippet of the required configuration steps for this basic scenario:
Step1: Configure a privileged level password (enable password)
By default there is no password for accessing the ASA firewall, so the first step before doing anything else is to configure a privileged level password, which will be needed to allow subsequent access to the appliance. Configure this under Configuration Mode:
ASA5510(config)# enable password mysecretpassword
Step2: Configure the public outside interface
ASA5510(config)# interface Ethernet0/0
ASA5510(config-if)# nameif outside
ASA5510(config-if)# security-level 0
ASA5510(config-if)# ip address 100.100.100.1 255.255.255.252
ASA5510(config-if)# no shut
Step3: Configure the trusted internal interface
ASA5510(config)# interface Ethernet0/1
ASA5510(config-if)# nameif inside
ASA5510(config-if)# security-level 100
ASA5510(config-if)# ip address 192.168.10.1 255.255.255.0
ASA5510(config-if)# no shut
Step 4: Configure PAT on the outside interface
ASA5510(config)# global (outside) 1 interface
ASA5510(config)# nat (inside) 1 0.0.0.0 0.0.0.0
UPDATE for ASA Version 8.3
From March 2010, Cisco announced the new Cisco ASA software version 8.3. This version introduced several important configuration changes, especially on the NAT/PAT mechanism. The “global” command is no longer supported. NAT (static and dynamic) and PAT are configured under network objects. The PAT configuration below is for ASA 8.3 and later:
object network obj_any
subnet 0.0.0.0 0.0.0.0
nat (inside,outside) dynamic interface
Step 5: Configure Default Route towards the ISP (assume default gateway is 100.100.100.2)
ASA5510(config)# route outside 0.0.0.0 0.0.0.0 100.100.100.2 1
Step 6: Configure the firewall to assign internal IP and DNS address to hosts using DHCP
ASA5510(config)# dhcpd dns 200.200.200.10
ASA5510(config)# dhcpd address 192.168.10.10-192.168.10.200 inside
ASA5510(config)# dhcpd enable inside
The above basic configuration is just the beginning for making the appliance operational. There are many more configuration features that you need to implement to increase the security of your network, such as Static and Dynamic NAT, Access Control Lists to control traffic flow, DMZ zones, VPN etc. I just tried to offer you a starting point for a basic configuration from where you can build your knowledge further.

Comments

Post a Comment

Popular posts from this blog

Cisco ASA 5510 with Dual ISP Redundancy

Cisco ASA 55XX with Dual ISP Redundancy This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers   outbound   connectivity only.  The ASA does not have built in functionality to NAT multiple public IPs to a single internal IP – for that you’d need a router (how-to article soon!).  For an ASA to provide inbound redundancy to your servers you’d need to utilize two separate IPs for each server – one to be NAT’d to each public IP block. The information you’ll need to complete this task: ·           Primary ISP Subnet / Gateway ·           Secondary ISP Subnet / Gateway ·           A Public host to ping (i.e. 4.2.2.1) The Public host to ping is a device (read: cluster of devices) that we will use to check if our primary ISP is up or down.  For that reason, I advise against using an IP of a single server.  I usually go with one of the well
1 comment
Read more

Links to various tools, calculators, config template etc.

Below are the links to various tools, calculators, config template etc. I hope you guys will find it helpful – APC Datacenter Tools ACL Wildcard Mask Calculator Aircrack-ng APC Product Selectors BackTrack Linux – Penetration Testing Bandwidth Calculator Bandwidth Speed Test Tool Bandwidth VoIP Availability Check Bandwidth VoIP Test Belkin Wizards Black Box Custom Cable and Adapter Wizards Boson Free Utilities, Cisco Config Register Calculator Brad Reese music work ambience Broadband Tools Cain – Windows Based Hacking Tool CertSearch Tool – rates Cisco practice test providers CIDR Report CIDR / VLSM Supernet Calculator Cisco 827/827H/SOHO97/837 ADSL Firewall IPSec Config Cisco 827/827H/SOHO97/837 ADSL IPSec Config Cisco 827/827H/SOHO97/837 Basic Config Cisco 827/827H/837 Business Config Cisco 827, 827H, 837, SOHO97 Config Wizard Cisco 851/851W/857/857W/871/871W/877/877W Wizard
Post a Comment
Read more

Smoothwall Express 3.0 with Multiple NAT

This is a must have for any Smoothwall Express Setup. This mod gives you full control of your interfaces including multiple IP addresses, ports and mac control: The mod gives ultimate control with the following: 1.    Specify origin source IP/Network 2.    Specify the origin/destination ports to be open for your specific IP/Network e.g. Open access for the IP 222.111.55.333 on port 57 to your IP xxx.xxx.xxx.xxx on port 22 To install the mod simply run the following from command line: 1.   wget http://stans-smoothwall3mods.googlecode.com/files/fullfirewall-3.3.3.1-Express-3.0-i386.run 2.   sh ./fullfirewall-3.3.3.1-Express-3.0-i386.run **NOTE: Smoothwall Express 3.0 should be up to and including update 9 – Maintenance > Updates. Log back into the Smoothwall GUI and you will now see the Full Firewall Control interface. control ,  full firewall ,  mod ,  port forwarding ,  smoothwall For further reading take a look at below link:  https://www.linuxtutoria
Post a Comment
Read more