Skip to main content

Basic ASA Firewall Configuration


This tutorial shows basic Cisco ASA firewall configuration. To bring the firewall up in operating state, set up a user for a login, define user privilege level (privilege 15 is most privileged cisco level that can be assigned to a user) and turn on local authentication for ssh, telnet, web or console access: 


ciscoasa>enable ciscoasa#conf t ciscoasa(config)#hostname asa1 ASA1(config)#domain-name example.com ASA1(config)#username John password Razor1293! encrypted privilege 15 ASA1(config)#aaa authentication ssh console LOCAL ASA1(config)#aaa authentication telnet console LOCAL ASA1(config)#aaa authentication http console LOCAL ASA1(config)#aaa authentication serial console LOCAL ASA1(config)#aaa authentication enable console LOCAL ASA1(config)#console timeout 0


To enable ssh access You must create crypto key pair, setup address range and 
interface from which ssh access is allowed: 

ASA1(config)#crypto key generate rsa modulus 1024 ASA1(config)#ssh 192.168.15.0 255.255.255.0 inside ASA1(config)#ssh timeout 30


Configure firewall interfaces: 

ASA1(config)#interface ethernet0/0 ASA1(config-if)#switchport access vlan 2 ASA1(config-if)#speed 100 ASA1(config-if)#duplex full ASA1(config)#interface Vlan1 ASA1(config-if)#nameif inside ASA1(config-if)#ip address 192.168.15.1 255.255.255.0 ASA1(config-if)#security-level 100 ASA1(config-if)#no shutdown ASA1(config)#interface Vlan2 ASA1(config-if)#nameif outside ASA1(config-if)#ip address 193.222.168.113 255.255.255.240 ASA1(config-if)#security-level 0 ASA1(config-if)#no shutdown


Add default route, and set up default gateway. "show route" command shows You routes in 
routing table, which can look something like this: 

ASA1(config)#route outside 0.0.0.0 0.0.0.0 193.222.168.111 1 ASA1(config)#show route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static route Gateway of last resort is 193.222.168.111 to network 0.0.0.0 C 192.168.15.0 255.255.255.0 is directly connected, inside C 195.252.68.0 255.255.255.0 is directly connected, outside S* 0.0.0.0 0.0.0.0 [1/0] via 193.222.168.111, outside ASA1(config)#
(Default route is the address of default gateway. All packets designated to external networks are sent over default gateway.) 

Next, set up Network address translation, more specifically "PAT" (port address translation) which will
translate Your private into public addresses and give Your internal network access to the outside: 

ASA1(config)#nat (inside) 1 192.168.15.0 255.255.255.0 ASA1(config)#global (outside) 1 193.222.168.113 ASA1(config)#

(Pat is usefull when You have limited number of Public IP addresses avaliable for assignment to external interfaces. Using PAT, all internal addresses communicating with external world will have Public IP address of an outside interface. This is possible because every Internal Address is mapped to different port on Public address.)
Labels:

Comments

Post a Comment

Popular posts from this blog

Cisco three-layer hierarchical model

Because networks can be extremely complicated, with multiple protocols and diverse technologies, Cisco has developed a layered hierarchical model for designing a reliable network infrastructure. This three-layer model helps you design, implement, and maintain a scalable
Post a Comment
Read more

Access Control Lists (extended)

Access Control List  or  ACL  is a technic of controling network traffic. It is a list of rules with which traffic flow can be manipulated - permitted or denied. By default, traffic flow from the interface with the higher security level (for example "inside" interface) to interface with the lower security level (example "outside" interface) is allowed by default, but the flow of traffic from "outside" to the "inside" interface must be explicitly permited. 
Post a Comment
Read more

Debugging on Cisco ASA

Most of debuging on Cisco ASA can be done with simply entering  "debug"  in front of command for which we want to do debugging. For example if wanted to see/capture icmp traffic from user enter: 
Post a Comment
Read more