Documente Academic
Documente Profesional
Documente Cultură
http://www.firewall.cx/cisco-technical-knowledgebase/cisco-firewalls/96...
(http://www.firewall.cx)
FIREWALL.CX TEAM
NEWS
ALTERNATIVE MENU
RECOMMENDED SITES
CONTACT US - FEEDBACK
(/MEET-THE-TEAM.HTML)
(/NEWS.HTML)
(/SITE-MAP.HTML)
(/RECOMMENDED-SITES.HTML)
(/CONTACT-US.HTML)
Home (/)
Cisco (/cisco-technical-knowledgebase.html)
HOT DOWNLOADS
(http://clixtrac.com/goto/?99229)
(http://clixtrac.com/goto/?168777)
NETWORK SECURITY
SCANNER
(HTTP://CLIXTRAC.COM
(http://clixtrac.com/goto/?99231)
(http://clixtrac.com/goto/?179823)
Share
Tweet
Feature
Cisco ASA
Cisco ASA
Cisco ASA
5510
5520
5540
5550
Unlimited
Unlimited
Unlimited
Unlimited
Up to 450
Up to 650
Up to 1.2
Mbps
Mbps
Gbps
Users/Nodes
10, 50, or
unlimited
Mbps
1 of 10
12/6/2014 10:58 PM
Cisco ASA5500 (5505, 5510, 5520, etc) Series Firewall Security Applian...
2 of 10
Maximum Firewall
Mbps with
http://www.firewall.cx/cisco-technical-knowledgebase/cisco-firewalls/96...
Up to 225
Up to 500
Mbps with
Mbps with
AIP-SSM-10 AIP-SSM-10
AIP-SSM-20
Up to 300
Up to 375
Up to 650
Mbps with
Mbps with
Mbps with
Not available
(http://www.linkedin.com
(https://www.facebook.com
(http://twitter.com
(http://feeds.feedburner.co
CONNECT: /groups?home=&
/firewallcx)
/firewallcx)
/firewallcx)
gid=1037867)
AIP-SSM-20 AIP-SSM-20
NETWORK SECURITY
SCANNER
AIP-SSM-40
Up to 450
Mbps with
AIP-SSM-40
3DES/AES VPN
Throughput***
Up to 225
Up to 325
Up to 425
Mbps
Mbps
Mbps
Mbps
(http://clixtrac.com
10; 25
250
750
5000
5000
Premium
2/25
2/250
2/750
2/2500
2/5000
50,000;
280,000
400,000
650,000
12,000
25,000
33,000
/goto/?99232)
AnyConnect VPN
Peers*
(Included/Maximum)
Concurrent
10,000; 25,000*
New
Subscribe
130,000*
Connections
4000
9000
Connections/Second
RSS SUBSCRIPTION
Subscribe to Firewall.cx RSS
Feed by Email
Integrated Network
8-port Fast
5 Fast
4 Gigabit
4 Gigabit
8 Gigabit
Ports
Ethernet switch
Ethernet
Ethernet,
Ethernet,
Ethernet,
Gigabit
Ethernet
Ethernet + 3
4 SFP Fiber,
(http://feedburner.google.com
/fb/a/mailverify?uri=firewallcx&
loc=en_US)
1 Fast
Ethernet
Fast
HYPER-V BACKUP
Ethernet
ports*
Virtual Interfaces
3 (no trunking
(VLANs)
support)/20 (with
50/100*
150
200
400
trunking
support)*
(http://clixtrac.com
/goto/?181631)
Users can also download the complete technical datasheet (/downloads/cisco-product-datasheets-a-guides/cisco-asa-5500-series-adaptivesecurity-appliances.html) for the Cisco ASA 5500 series firewalls by visiting our Cisco Product Datasheet & Guides Download section
(/downloads/cisco-product-datasheets-a-guides.html).
RECOMMENDED
DOWNLOADS
Perhaps one of the most important points, especially for an engineer with limited experience, is that configuring the smaller ASA 5505
Firewall does not really differ from configuring the larger ASA5520 Firewall. The same steps are required to setup pretty much all ASA 5500
Web Security
(http://clixtrac.com
/goto/?99233)
Server AntiSpam
(http://clixtrac.com
/goto/?99234)
Network Scanner
(http://clixtrac.com
/goto/?99235)
IDS Security Manager
(http://clixtrac.com
/goto/?99236)
Web-Proxy Monitor
The main differences besides the licenses, which enable or disable features, are the physical interfaces of each ASA model (mainly
(http://clixtrac.com
between the ASA 5505 and the larger 5510/5520) and possibly modules that might be installed. In any case, we should keep in mind that if
/goto/?99237)
we are able to configure a small ASA5505 then configuring the larger models wont be an issue.
At the time of writing of this article Firewall.cx came across a Cisco ASA5505, so we decided to put it to good use for this article, however,
do note that all commands and configuration philosophy is the same across all ASA5500 series security appliances.
a-clients.html)
Cisco VPN Client
(/downloads/cisco-tools-
Note: ASA software version 8.3.0 and above use different NAT configuration commands. This article provides both old style (up to
v8.2.5) and new style (v8.3 onwards) NAT configuration commands.
a-applications.html)
Network Fax Server
(http://clixtrac.com
/goto/?100607)
Additional reading material: Users seeking nothing but the best security information on ASA Firewalls, written by leading Cisco Security
12/6/2014 10:58 PM
Cisco ASA5500 (5505, 5510, 5520, etc) Series Firewall Security Applian...
http://www.firewall.cx/cisco-technical-knowledgebase/cisco-firewalls/96...
Engineers, should consider the following highly recommended Cisco Press titles:
Cisco ASA: All-in-One Firewall, IPS, Anti-X, and VPN Adaptive Security Appliance, 2nd Edition
(http://www.ciscopress.com/store/cisco-asa-all-in-one-firewall-ips-anti-x-and-vpn-adaptive-9781587058196)
/goto/?163765)
CISCO MENU
CISCO ROUTERS
Cisco ASA, PIX, and FWSM Firewall Handbook, 2nd Edition (http://www.ciscopress.com/store/cisco-asa-pix-and-fwsmfirewall-handbook-9781587054570)
(/cisco-technicalknowledgebase/ciscorouters.html)
CISCO SWITCHES
(/cisco-technical-
Weve created a simple configuration check-list that will help us keep track of the configured services on our ASA Firewall. Here is the list of
knowledgebase/cisco-
switches.html)
CISCO VOIP/CCME -
CALLMANAGER
(/cisco-technicalknowledgebase/cisco-
voice.html)
CISCO FIREWALLS
(/cisco-technical-
knowledgebase/ciscofirewalls.html)
CISCO WIRELESS
(/cisco-technicalknowledgebase/cisco-
wireless.html)
CISCO SERVICES &
TECHNOLOGIES
(/cisco-technicalknowledgebase/cisco-
services-tech.html)
(/cisco-technicalknowledgebase/ccie-
experts.html)
Note: it is highly advisable to frequently save the ASA configuration to ensure no work is lost in the event of a power failure or accident
restart.
Saving the configuration can be easily done using the write memory command:
(/site-news/316-firewall-
ciscopress.html)
[OK]
POPULAR CISCO
ARTICLES
ERASING EXISTING CONFIGURATION
This first step is optional as it will erase the firewalls configuration. If the firewall has been previously configured or used it is a good idea to
/cisco-routers/901-cisco-
start off with the factory defaults. If we are not certain, we prefer to wipe it clean and start from scratch. Once the configuration is deleted we
router-dmvpn-
need to force a reboot, however, take note that its important not to save the system config to ensure the running-config is not copied to the
configuration.html)
/813-cisco-router-ipsla-
basic.html)
[OK]
ciscoasa(config)# reload
technical-knowledgebase
/cisco-switches/818-cisco-
switches-vlan-security.html)
ciscoasa(config)#
***
technical-knowledgebase
/cisco-switches/948-cisco-
switches-4507re-ws-x45-
sup7l-e-installation.html)
***
(/cisco-technical-
knowledgebase/cisco-
voice/371-cisco-ccme-part-
Rebooting.....
1.html)
Secure CME - SRTP & TLS
(/cisco-technical-
3 of 10
12/6/2014 10:58 PM
Cisco ASA5500 (5505, 5510, 5520, etc) Series Firewall Security Applian...
http://www.firewall.cx/cisco-technical-knowledgebase/cisco-firewalls/96...
knowledgebase/ciscovoice/956-cisco-voice-
cme-secure-voip.html)
Cisco Password Crack (/ciscotechnical-knowledgebase
/cisco-routers/358-cisco-type7-
The ASA Firewall wont ask for a username/password when logging in next, however, the default enable password of cisco, will be
password-crack.html)
Ciscoasa> enable
Password: cisco
ciscoasa# configure terminal
/cisco-routers/867-ciscorouter-site-to-site-ipsecvpn.html)
ciscoasa(config)#
***************************** NOTICE *****************************
Help to improve the ASA platform by enabling anonymous reporting,
(http://clixtrac.com
/goto/?99238)
POPULAR LINUX
ARTICLES
knowledgebase-tutorials/linux-
command, the system will ask if we would like to enable Ciscos call-home reporting feature. We declined the offer and continued
administration/845-linux-
administration-runlevels.html)
Linux Groups & Users (/linux-
knowledgebase-tutorials/linux-
administration/842-linux-
groups-user-accounts.html)
Linux Performance Monitoring
The privilege 15 parameter at the end of the command line ensures the system is aware that this is an account with full privileges and has
(/linux-knowledgebase-tutorials
access to all configuration commands including erasing the configuration and files on the devices flash disk, such as the operating system.
/linux-administration/837-linuxsystem-resourcemonitoring.html)
Linux Vim Editor (/linux-
knowledgebase-tutorials/linuxadministration/836-linuxvi.html)
Linux Samba (/linuxknowledgebase-tutorials
In many cases network engineers use VLAN interfaces on the larger ASA5500 models, however, this depends on the licensing capabilities
/system-and-network-services
/848-linux-servicessamba.html)
In the case of the ASA5505 we must use VLAN interfaces, which are configured with their appropriate IP addresses and then (next step)
knowledgebase-tutorials
/system-and-network-services
/849-linux-services-
dhcp-server.html)
ASA5505(config-if)# no shutdown
topics-reviews/linuxunix-
related/829-linux-
bind-introduction.html)
Permissions (/general-topics-
ASA5505(config-if)# no shutdown
reviews/linuxunix-related
/introduction-to-linux/299-linux-
file-folder-permissions.html)
ASA5505(config-if)# no shutdown
topics-reviews/linuxunixrelated/openmosix-linuxsupercomputer.html)
Linux Network Config (/linux-
Alternatively, the Public interface (VLAN2) can be configured to obtain its IP address automatically via DHCP with the following command:
knowledgebase-tutorials/linuxadministration/851-linux-
services-tcpip.html)
BANDWIDTH
MONITORING
The setrouteparameter at the end of the command will ensure the ASA Firewall sets its default route (gateway) using the default gateway
parameter the DHCP server provides.
After configuring VLAN1 & VLAN2 with the appropriate IP addresses, we configured ethernet 0/0 as an access link for VLAN2 so we can
use it as a physical public interface. Out of the 8 total Ethernet interfaces the ASA5505 has, at least one must be set with the switchport
4 of 10
(http://clixtrac.com
12/6/2014 10:58 PM
Cisco ASA5500 (5505, 5510, 5520, etc) Series Firewall Security Applian...
http://www.firewall.cx/cisco-technical-knowledgebase/cisco-firewalls/96...
access vlan 2 otherwise there wont be any physical public interface on the ASA for our frontend router to connect to. Ethernet ports 0/1 to
/goto/?99758)
0/7 must also be configured with the no shutdown command in order make them operational. All of these ports are, by default, access links
for VLAN1. Provided are the configuration commands for the first two ethernet interface as the configuration is identical for all:
ASA5505(config)# interface ethernet 0/1
ASA5505(config-if)# no shutdown
ASA5505(config-if)# interface ethernet 0/2
ASA5505(config-if)# no shutdown
5 of 10
12/6/2014 10:58 PM
Cisco ASA5500 (5505, 5510, 5520, etc) Series Firewall Security Applian...
http://www.firewall.cx/cisco-technical-knowledgebase/cisco-firewalls/96...
In the above configuration, the ASA Firewall is instructed to NAT all internal networks using the NAT Group 1. The number 1 is used to
identify the NAT groups for the NAT process between the inside and outside interfaces.
The global (outside) 1 interface command instructs the ASA Firewall to perform NAT using the IP address assigned to the outside
interface.
Another method of configuring NAT is with the use of access lists. In this case, we define the internal IP addresses to be NATed with the
use of access lists:
ASA5505(config)# access-list NAT-ACLs extended permit ip 10.71.0.0 255.255.255.0 any
ASA5505(config)# access-list NAT-ACLs extended permit ip 10.75.0.0 255.255.255.0 any
ASA5505(config)# access-list NAT-ACLs extended permit ip 10.76.0.0 255.255.255.0 any
ASA5505(config)# global (outside) 1 interface
INFO: outside interface address added to PAT pool
ASA5505(config)# nat (inside) 1 access-list NAT-ACLs
NAT with the use of access lists provides greater flexibility and control which IP addresses or networks will use the NAT service.
With software version 8.3 and newer, things have changed dramatically and there are no more access lists in NAT configuration lines.
The new NAT format now utilizes "object network", "object service" and "object-group network" to define the parameters of the NAT
configuration.
The following commands (software version 8.3 and above) will provide NAT services to our internal networks so they can access the
Internet:
ASA5505(config)# object network network1
ASA5505(config-network-object)# subnet 10.71.0.0 255.255.255.0
ASA5505(config-network-object)# nat (inside,outside) dynamic interface
!
ASA5505(config)# object network network2
ASA5505(config-network-object)# subnet 10.75.0.0 255.255.255.0
ASA5505(config-network-object)# nat (inside,outside) dynamic interface
!
ASA5505(config)# object network network3
ASA5505(config-network-object)# subnet 10.76.0.0 255.255.255.0
ASA5505(config-network-object)# nat (inside,outside) dynamic interface
Automatic bindings 1
Expired bindings
Malformed messages 0
Message
Received
BOOTREQUEST
DHCPDISCOVER
DHCPREQUEST
DHCPDECLINE
DHCPRELEASE
DHCPINFORM
1
0
0
1
If required, we can clear the DHCP bindings (assigned IP addresses) using the clear dhcpd binding command.
6 of 10
12/6/2014 10:58 PM
Cisco ASA5500 (5505, 5510, 5520, etc) Series Firewall Security Applian...
http://www.firewall.cx/cisco-technical-knowledgebase/cisco-firewalls/96...
ENABLE SSH & TELNET MANAGEMENT FOR INSIDE AND OUTSIDE INTERFACES
Enabling SSH and Telnet access to the Cisco Firewall is pretty straightforward. While we always recommend the use of SSH, especially
when accessing the Firewall from public IPs, telnet is also an option, however, we must keep in mind that telnet management methods do
not provide any security as all data (including username, passwords and configurations) are sent in clear text.
Before enabling SSH, we must generate RSA key pairs for identity certificates. Telnet does not require any such step as it does not provide
any encryption or security:
ASA5505(config)# crypto key generate rsa modulus 1024
INFO: The name for the keys will be:
Keypair generation process begin. Please wait...
ASA5505(config)# ssh 10.71.0.0 255.255.255.0 inside
ASA5505(config)# ssh 200.200.90.5 255.255.255.255 outside
ASA5505(config)# telnet 10.71.0.0 255.255.255.0 inside
Note that the ASA Firewall appliance will only accept SSH connections from host 200.200.90.5 arriving on its public interface, while SSH
and telnet connections are permitted from network 10.71.0.0/24 on the inside interface.
7 of 10
12/6/2014 10:58 PM
Cisco ASA5500 (5505, 5510, 5520, etc) Series Firewall Security Applian...
http://www.firewall.cx/cisco-technical-knowledgebase/cisco-firewalls/96...
ASA5505(config)# access-list inside-in remark -=[Access Lists For Outgoing Packets from Inside interface]=ASA5505(config)# access-list inside-in extended permit udp 10.71.0.0 255.255.255.0 any object-group Internet-udp
ASA5505(config)# access-list inside-in extended permit tcp 10.71.0.0 255.255.255.0 any object-group Internet-tcp
ASA5505(config)# access-list inside-in extended permit tcp 10.75.0.0 255.255.255.0 any object-group Internet-tcp
ASA5505(config)# access-list inside-in extended permit tcp 10.76.0.0 255.255.255.0 any object-group Internet-tcp
Note that the 10.71.0.0/25 network has access to both Object-groups services, our other networks are restricted to only the services defined
in the TCP Object-group. To understand how Object-groups help simplify access list management: without them, we would require 37
access lists commands instead of just 4!
The commands used above enable log in the debugging level (7) and sets the buffer size in RAM to 30,000 bytes (~30Kbytes).
Issuing the show log command will reveal a number of important logs including any packets that are processed or denied due to accesslists:
ASA5505(config)# show log
Syslog logging: enabled
Facility: 20
Timestamp logging: disabled
Standby logging: disabled
Debug-trace logging: disabled
Console logging: disabled
Monitor logging: disabled
Buffer logging: level debugging, 39925 messages logged
Trap logging: disabled
History logging: disabled
Device ID: disabled
Mail logging: disabled
ASDM logging: disabled
n" [0x0, 0x0]
%ASA-4-106023: Deny tcp src inside:10.71.0.50/54843 dst outside:10.0.0.10/445 by access-group "inside-in" [0x0, 0x0]
%ASA-4-106023: Deny tcp src inside:10.71.0.50/54845 dst outside:10.0.0.10/445 by access-group "inside-in" [0x0, 0x0]
8 of 10
12/6/2014 10:58 PM
Cisco ASA5500 (5505, 5510, 5520, etc) Series Firewall Security Applian...
http://www.firewall.cx/cisco-technical-knowledgebase/cisco-firewalls/96...
%ASA-4-106023: Deny tcp src inside:10.71.0.50/54844 dst outside:10.0.0.10/445 by access-group "inside-in" [0x0, 0x0]
%ASA-4-106023: Deny tcp src inside:10.71.0.50/54850 dst outside:10.0.0.10/139 by access-group "inside-in" [0x0, 0x0]
%ASA-4-106023: Deny tcp src inside:10.71.0.50/54843 dst outside:10.0.0.10/445 by access-group "inside-in" [0x0, 0x0]
%ASA-4-106023: Deny tcp src inside:10.71.0.50/54845 dst outside:10.0.0.10/445 by access-group "inside-in" [0x0, 0x0]
%ASA-4-106023: Deny tcp src inside:10.71.0.50/54844 dst outside:10.0.0.10/445 by access-group "inside-in" [0x0, 0x0]
%ASA-4-106023: Deny tcp src inside:10.71.0.50/54850 dst outside:10.0.0.10/139 by access-group "inside-in" [0x0, 0x0]
%ASA-4-106023: Deny udp src inside:10.71.0.50/137 dst outside:10.0.0.10/137 by access-group "inside-in" [0x0, 0x0]
%ASA-6-302014: Teardown TCP connection 4718 for outside:173.194.40.49/443 to inside:10.71.0.50/54803 duration 0:02:00 bytes
1554462 TCP FINs
CONCLUSION
This article serves as an introduction configuration guide for the ASA5500 series Firewall appliances. We covered all necessary commands
required to get any ASA5500 Firewall working and servicing network clients, while also explaining in detail all commands used during the
configuration process.
CISCO ASA5500 (5505, 5510, 5520, ETC) SERIES FIREWALL S... (/CISCO-TECHNICAL-KNOWLEDGEBASE/CISCOFIREWALLS/964-CISCO-ASA5500-STARTUP.HTML)
(/cisco-technical-knowledgebase/cisco-firewalls/964-cisco-asa5500-startup.html)
9 of 10
12/6/2014 10:58 PM
Cisco ASA5500 (5505, 5510, 5520, etc) Series Firewall Security Applian...
http://www.firewall.cx/cisco-technical-knowledgebase/cisco-firewalls/96...
CCENT/CCNA
CISCO ROUTERS
VPN SECURITY
CISCO HELP
WINDOWS 2012
LINUX
SSL WEBVPN
UNDERSTAND DMVPN
NEW FEATURES
FILE PERMISSIONS
TECHNICAL-
SECURING ROUTERS
GRE/IPSEC
LICENSING
WEBMIN
KNOWLEDGEBASE/CISCO-
CONFIGURATION
HYPER-V / VDI
GROUPS - USERS
ROUTERS/250-CISCO-
ROUTER ON-A-STICK
INSTALL HYPER-V
SAMBA SETUP
ROUTER-BASICS.HTML)
IPSEC MODES
SUBNETTING
OSI MODEL
IP PROTOCOL
FIREWALL.CX TEAM
(/MEET-THE-TEAM.HTML)
NEWS
(/NEWS.HTML)
ALTERNATIVE MENU
(/SITE-MAP.HTML)
RECOMMENDED SITES
(/RECOMMENDED-SITES.HTML)
CONTACT US - FEEDBACK
(/CONTACT-US.HTML)
10 of 10
12/6/2014 10:58 PM