Cisco ASA Configuration & Basic Concepts

Cisco ASA5500 (5505, 5510, 5520, etc) Series Firewall Security Applian...
http://www.firewall.cx/cisco-technical-knowledgebase/cisco-firewalls/96...
(http://www.firewall.cx)
FIREWALL.CX TEAM
NEWS
ALTERNATIVE MENU
RECOMMENDED SITES
CONTACT US - FEEDBACK
(/MEET-THE-TEAM.HTML)
(/NEWS.HTML)
(/SITE-MAP.HTML)
(/RECOMMENDED-SITES.HTML)
(/CONTACT-US.HTML)
Home (/)
Cisco (/cisco-technical-knowledgebase.html)
SATURDAY, 06 DECEMBER 2014
Cisco Firewalls (/cisco-technical-knowledgebase/cisco-firewalls.html)

Cisco ASA5500 (5505, 5510, 5520, etc) Series Firewall Security Appliance Startup Configuration & Basic Concepts
HOT DOWNLOADS
(http://clixtrac.com/goto/?99229)
NETWORK SECURITY
SCANNER
(HTTP://CLIXTRAC.COM
FREE HYPER-V BACKUP

/GOTO/?168777)
WEB MONITORING &

SECURITY
CISCO ASA5500 (5505, 5510, 5520, ETC) SERIES FIREWALL

SECURITY APPLIANCE STARTUP CONFIGURATION & BASIC
CONCEPTS
WRITTEN BY ADMINISTRATOR. POSTED IN CISCO FIREWALLS - ASA & PIX FIREWALL CONFIGURATION (/CISCO-TECHNICAL-KNOWLEDGEBASE/CISCOFIREWALLS.HTML)
Rating 4.78 (9 Votes)
Share
Tweet
INTRODUCING THE CISCO ASA 5500 SERIES FIREWALL APPLIANCE

The Cisco ASA 5500 series security appliances have been around for quite some time
and are amongst the most popular hardware firewalls available in the market. Today
Firewall.cx (http://www.firewall.cx) takes a look at how to easily setup a Cisco ASA5500
series firewall to perform basic functions, more than enough to provide secure &
restricted access to the Internet, securely access and manage the ASA Firewall and
more.
While many consider the Cisco ASA Firewalls complex and difficult to configure devices,
Firewall.cx aims to break that myth and show how easy you can setup an ASA Firewall to deliver basic and advanced functionality. Weve
done it with other Cisco technologies and devices, and well do it again :)
The table below provides a brief comparison between the different ASA5500 series security appliances:
Feature
Cisco ASA
Cisco ASA
Cisco ASA
5510
5520
5540
5550
Unlimited
Unlimited
Unlimited
Unlimited
Firewall Throughput Up to 150 Mbps Up to 300
Up to 450
Up to 650
Up to 1.2
Mbps
Mbps
Gbps
Users/Nodes
Cisco ASA 5505 Cisco ASA
10, 50, or
unlimited
Mbps
1 of 10
12/6/2014 10:58 PM
2 of 10
Maximum Firewall
Up to 150 Mbps Up to 150
and IPS Throughput with AIP-SSC-5
Mbps with
Up to 225
Up to 500
Mbps with
Mbps with
AIP-SSM-10 AIP-SSM-10
AIP-SSM-20
Up to 300
Up to 375
Up to 650
Mbps with
Mbps with
Mbps with
Not available
(http://www.linkedin.com
(https://www.facebook.com
(http://twitter.com
(http://feeds.feedburner.co
CONNECT: /groups?home=&
/firewallcx)
/firewallcx)
/firewallcx)
gid=1037867)
AIP-SSM-20 AIP-SSM-20
NETWORK SECURITY
SCANNER
AIP-SSM-40
Up to 450
Mbps with
AIP-SSM-40
3DES/AES VPN
Up to 100 Mbps Up to 170
Throughput***
Up to 225
Up to 325
Up to 425
Mbps
Mbps
Mbps
Mbps
(http://clixtrac.com
IPsec VPN Peers
10; 25
250
750
5000
5000
Premium
2/25
2/250
2/750
2/2500
2/5000
50,000;
280,000
400,000
650,000
12,000
25,000
33,000
/goto/?99232)
Notify me of new articles
AnyConnect VPN
Peers*
(Included/Maximum)
Concurrent
10,000; 25,000*
New
Subscribe
130,000*
Connections
4000
9000
Connections/Second
RSS SUBSCRIPTION
Subscribe to Firewall.cx RSS
Feed by Email
Integrated Network
8-port Fast
5 Fast
4 Gigabit
4 Gigabit
8 Gigabit
Ports
Ethernet switch
Ethernet
Ethernet,
Ethernet,
Ethernet,
(including 2 PoE ports; 2

ports)
1 Fast Ethernet 1 Fast
Gigabit
Ethernet
Ethernet + 3
4 SFP Fiber,
(http://feedburner.google.com
/fb/a/mailverify?uri=firewallcx&
loc=en_US)
1 Fast
Ethernet
Fast
HYPER-V BACKUP
Ethernet
ports*
Virtual Interfaces
3 (no trunking
(VLANs)
support)/20 (with
50/100*
150
200
400
trunking
support)*
/goto/?181631)
Users can also download the complete technical datasheet (/downloads/cisco-product-datasheets-a-guides/cisco-asa-5500-series-adaptivesecurity-appliances.html) for the Cisco ASA 5500 series firewalls by visiting our Cisco Product Datasheet & Guides Download section
(/downloads/cisco-product-datasheets-a-guides.html).
RECOMMENDED
DOWNLOADS
Perhaps one of the most important points, especially for an engineer with limited experience, is that configuring the smaller ASA 5505
Firewall does not really differ from configuring the larger ASA5520 Firewall. The same steps are required to setup pretty much all ASA 5500
Web Security
series Firewalls which is Great News!
/goto/?99233)
Server AntiSpam
/goto/?99234)
Network Scanner
/goto/?99235)
IDS Security Manager
/goto/?99236)
Web-Proxy Monitor
The main differences besides the licenses, which enable or disable features, are the physical interfaces of each ASA model (mainly
between the ASA 5505 and the larger 5510/5520) and possibly modules that might be installed. In any case, we should keep in mind that if
/goto/?99237)
we are able to configure a small ASA5505 then configuring the larger models wont be an issue.
FTP / TFTP Servers

(/downloads/ftp-tftp-servers-
At the time of writing of this article Firewall.cx came across a Cisco ASA5505, so we decided to put it to good use for this article, however,
do note that all commands and configuration philosophy is the same across all ASA5500 series security appliances.
a-clients.html)
Cisco VPN Client
(/downloads/cisco-tools-
Note: ASA software version 8.3.0 and above use different NAT configuration commands. This article provides both old style (up to
v8.2.5) and new style (v8.3 onwards) NAT configuration commands.
a-applications.html)
Network Fax Server
/goto/?100607)
Additional reading material: Users seeking nothing but the best security information on ASA Firewalls, written by leading Cisco Security
Free Hyper-V Backup

12/6/2014 10:58 PM
Engineers, should consider the following highly recommended Cisco Press titles:
Cisco ASA: All-in-One Firewall, IPS, Anti-X, and VPN Adaptive Security Appliance, 2nd Edition
(http://www.ciscopress.com/store/cisco-asa-all-in-one-firewall-ips-anti-x-and-vpn-adaptive-9781587058196)
/goto/?163765)
CISCO MENU
CISCO ROUTERS
Cisco ASA, PIX, and FWSM Firewall Handbook, 2nd Edition (http://www.ciscopress.com/store/cisco-asa-pix-and-fwsmfirewall-handbook-9781587054570)
(/cisco-technicalknowledgebase/ciscorouters.html)
ASA5500 SERIES CONFIGURATION CHECK-LIST
CISCO SWITCHES
(/cisco-technical-
Weve created a simple configuration check-list that will help us keep track of the configured services on our ASA Firewall. Here is the list of
knowledgebase/cisco-
items that will be covered in this article:
switches.html)
CISCO VOIP/CCME -
Erase existing configuration

Configure Hostname, Users, Enable password & Disable Anonymous Reporting
CALLMANAGER
(/cisco-technicalknowledgebase/cisco-
Configure interface IP addresses or Vlan IP addresses (ASA5505) & Descriptions

Setup Inside (private) & Outside (public) Interfaces
voice.html)
CISCO FIREWALLS
(/cisco-technical-
Configure default route (default Gateway) & static routes
knowledgebase/ciscofirewalls.html)
Configure Network Address Translation (NAT) for Internal Networks

Configure ASA DHCP Server
CISCO WIRELESS
Configure AAA authentication for local database user authentication

Enable HTTP Management for inside interface
Enable SSH & Telnet Management for inside and outside interfaces
wireless.html)
CISCO SERVICES &
TECHNOLOGIES
Create, configure and apply TCP/UDP Object-Groups to firewall access lists
services-tech.html)
Configuration of access-lists for ICMP packets to the Internet
CISCO AUTHORS & CCIE

INTERVIEWS
Apply Firewall access lists to inside and outside interfaces
(/cisco-technicalknowledgebase/ccie-
Configure logging/debugging of events and errors
experts.html)
Note: it is highly advisable to frequently save the ASA configuration to ensure no work is lost in the event of a power failure or accident
restart.
Saving the configuration can be easily done using the write memory command:
CISCO PRESS REVIEW

PARTNER
ASA5505(config)# write memory

Building configuration...
Cryptochecksum: c0aee665 598d7cd3 7fbfe1a5 a2d40ab1
(/site-news/316-firewall-
3270 bytes copied in 1.520 secs (3270 bytes/sec)
ciscopress.html)
[OK]
POPULAR CISCO
ARTICLES
ERASING EXISTING CONFIGURATION
DMVPN Configuration (/ciscotechnical-knowledgebase
This first step is optional as it will erase the firewalls configuration. If the firewall has been previously configured or used it is a good idea to
/cisco-routers/901-cisco-
start off with the factory defaults. If we are not certain, we prefer to wipe it clean and start from scratch. Once the configuration is deleted we
router-dmvpn-
need to force a reboot, however, take note that its important not to save the system config to ensure the running-config is not copied to the
configuration.html)
startup-config otherwise well have to start this process again:
Cisco IP SLA (/cisco-technicalknowledgebase/cisco-routers
ciscoasa(config)# write erase
/813-cisco-router-ipsla-
Erase configuration in flash memory? [confirm]
basic.html)
[OK]
VLAN Security (/cisco-
ciscoasa(config)# reload
technical-knowledgebase
System config has been modified. Save? [Y]es/[N]o: N
/cisco-switches/818-cisco-
Proceed with reload? [confirm]
switches-vlan-security.html)
ciscoasa(config)#
4507R-E Installation (/cisco-
***
technical-knowledgebase
*** --- START GRACEFUL SHUTDOWN ---
/cisco-switches/948-cisco-
Shutting down isakmp
switches-4507re-ws-x45-
Shutting down webvpn
sup7l-e-installation.html)
Shutting down File system
CallManager Express Intro
***
(/cisco-technical-
*** --- SHUTDOWN NOW ---
knowledgebase/cisco-
Process shutdown finished
voice/371-cisco-ccme-part-
Rebooting.....
1.html)
Secure CME - SRTP & TLS
(/cisco-technical-
3 of 10
12/6/2014 10:58 PM
knowledgebase/ciscovoice/956-cisco-voice-
CONFIGURE HOSTNAME, USERS, 'ENABLE' PASSWORD & DISABLE ANONYMOUS REPORTING

Next, we need to configure the Enable password, required for privileged exec mode access, and then user accounts that will have access
to the firewall.
cme-secure-voip.html)
Cisco Password Crack (/ciscotechnical-knowledgebase
/cisco-routers/358-cisco-type7-
The ASA Firewall wont ask for a username/password when logging in next, however, the default enable password of cisco, will be
password-crack.html)
required to gain access to privileged mode:
Site-to-Site VPN (/ciscotechnical-knowledgebase
Ciscoasa> enable
Password: cisco
ciscoasa# configure terminal
/cisco-routers/867-ciscorouter-site-to-site-ipsecvpn.html)
ciscoasa(config)#
***************************** NOTICE *****************************
Help to improve the ASA platform by enabling anonymous reporting,
FREE CISCO LAB

PARTNER
which allows Cisco to securely receive minimal error and health

information from the device. To learn more about this feature,
please visit: http://www.cisco.com/go/smartcall
Would you like to enable anonymous error reporting to help improve
the product? [Y]es, [N]o, [A]sk later: N
In the future, if you would like to enable this feature,
issue the command "call-home reporting anonymous".
/goto/?99238)
POPULAR LINUX
ARTICLES
Please remember to save your configuration.

Linux Init & RunLevels (/linuxAt this point we need to note that when starting off with the factory default configuration, as soon as we enter the configure terminal
knowledgebase-tutorials/linux-
command, the system will ask if we would like to enable Ciscos call-home reporting feature. We declined the offer and continued
administration/845-linux-
with our setup:
administration-runlevels.html)
Linux Groups & Users (/linux-
ciscoasa(config)# hostname ASA5505
knowledgebase-tutorials/linux-
ASA5505(config)# enable password firewall.cx
administration/842-linux-
ASA5505(config)# username admin password s1jw$528ds2 privilege 15
groups-user-accounts.html)
Linux Performance Monitoring
The privilege 15 parameter at the end of the command line ensures the system is aware that this is an account with full privileges and has
(/linux-knowledgebase-tutorials
access to all configuration commands including erasing the configuration and files on the devices flash disk, such as the operating system.
/linux-administration/837-linuxsystem-resourcemonitoring.html)
Linux Vim Editor (/linux-
CONFIGURE INTERFACE IP ADDRESSES / VLAN IP ADDRESSES & DESCRIPTIONS

Depending on the ASA appliance we have, we can configure physical interfaces (inside/outside) with IP addresses, usually done with
ASA5510 and larger models, or create VLANs (inside/outside) and configure them with IP addresses, usually with the smaller ASA5505
models.
knowledgebase-tutorials/linuxadministration/836-linuxvi.html)
Linux Samba (/linuxknowledgebase-tutorials
In many cases network engineers use VLAN interfaces on the larger ASA5500 models, however, this depends on the licensing capabilities
/system-and-network-services
of the device, existing network setup and more.
/848-linux-servicessamba.html)
In the case of the ASA5505 we must use VLAN interfaces, which are configured with their appropriate IP addresses and then (next step)
Linux DHCP Server (/linux-
characterised as inside (private) or outside (public) interfaces:
knowledgebase-tutorials
/system-and-network-services
ASA5505(config)# interface vlan 1
/849-linux-services-
ASA5505(config)# description Private-Interface
dhcp-server.html)
ASA5505(config-if)# ip address 10.71.0.1 255.255.255.0
Linux Bind DNS (/general-
ASA5505(config-if)# no shutdown
topics-reviews/linuxunix-
related/829-linux-
bind-introduction.html)
ASA5505(config)# description Public-Interface
Linux File & Folder
ASA5505(config-if)# ip address 192.168.3.50 255.255.255.0
Permissions (/general-topics-
reviews/linuxunix-related
/introduction-to-linux/299-linux-
ASA5505(config)# interface ethernet 0/0
file-folder-permissions.html)
ASA5505(config-if)# switchport access vlan 2
Linux OpenMosix (/general-
topics-reviews/linuxunixrelated/openmosix-linuxsupercomputer.html)
Linux Network Config (/linux-
Alternatively, the Public interface (VLAN2) can be configured to obtain its IP address automatically via DHCP with the following command:
knowledgebase-tutorials/linuxadministration/851-linux-
services-tcpip.html)
ASA5505(config)# description Public-Interface

ASA5505(config-if)# ip address dhcp setroute
BANDWIDTH
MONITORING
The setrouteparameter at the end of the command will ensure the ASA Firewall sets its default route (gateway) using the default gateway
parameter the DHCP server provides.
After configuring VLAN1 & VLAN2 with the appropriate IP addresses, we configured ethernet 0/0 as an access link for VLAN2 so we can
use it as a physical public interface. Out of the 8 total Ethernet interfaces the ASA5505 has, at least one must be set with the switchport
4 of 10
12/6/2014 10:58 PM
access vlan 2 otherwise there wont be any physical public interface on the ASA for our frontend router to connect to. Ethernet ports 0/1 to
/goto/?99758)
0/7 must also be configured with the no shutdown command in order make them operational. All of these ports are, by default, access links
for VLAN1. Provided are the configuration commands for the first two ethernet interface as the configuration is identical for all:
ASA5505(config)# interface ethernet 0/1
ASA5505(config-if)# interface ethernet 0/2
SETUP INSIDE (PRIVATE) & OUTSIDE (PUBLIC) INTERFACES

Next, we must designate the Inside (private) and Outside (public) interfaces. This step is essential and will help the ASA Firewall
understand which interface is connected to the trusted (private) and untrusted (public) network:
ASA5505(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
!
ASA5505(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
The ASA Firewall will automatically set the security level to 100 for inside interfaces and 0 to outside interfaces. Traffic can flow from
higher security levels to lower (private to public), but not the other way around (public to private) unless stated by an access-lists.
To change the security-level of an interface use the security-level xxx command by substituting xxx with a number from 0 to 100. The
higher the number, the higher the security level. DMZ interfaces are usually configured with a security level of 50.
It is extremely important the necessary caution is taken when selecting and applying the inside/outside interfaces on any ASA Firewall.
CONFIGURE DEFAULT ROUTE (DEFAULT GATEWAY) & STATIC ROUTES

The default route configuration command is necessary for the ASA Firewall to route packets outside the network via the next hop, usually a
router. In case the public interface (VLAN2) is configured using the ip address dhcp setroute command, configuration of the default
gateway is not required.
ASA5505(config)# route outside 0.0.0.0 0.0.0.0 192.168.3.1
At this point, its a good idea to try testing the next-hop router and confirm the ASA Firewall can reach it:
ASA5505(config)# ping 192.168.3.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
For networks with multiple internal VLANs, it is necessary to configure static routes to ensure the ASA Firewall knows how to reach them.
Usually these networks can be reached via a Layer3 switch or an internal router. For our example, well assume we have two networks:
10.75.0.0/24 & 10.76.0.0/24 which we need to provide Internet access to. These additional networks are contactable via a Layer3 device
with IP address 10.71.0.100:
CONFIGURE NETWORK ADDRESS TRANSLATION (NAT) FOR INTERNAL NETWORKS

This is the last step required to successfully provide Internet access to our internal networks. Network Address Translation is essential to
masquerade our internal network using the single IP address our Public interface has been configured with. Network Address Translation,
along with all its variations (Static, Dynamic etc), is covered in great depth in our popular Network Address Translation (/networking-topics
/network-address-translation-nat.html) section.
We should note at this point that NAT configuration has slightly changed with ASA software version 8.3 and above. We will provide both
commands to cover installations with software version up to v8.2.5 and from v8.3 and above.
The following commands apply to ASA appliances with software version up to 8.2.5:
ASA5505(config)# global (outside) 1 interface
INFO: outside interface address added to PAT pool
ASA5505(config)# nat (inside) 1 10.71.0.0 255.255.255.0
5 of 10
12/6/2014 10:58 PM
In the above configuration, the ASA Firewall is instructed to NAT all internal networks using the NAT Group 1. The number 1 is used to
identify the NAT groups for the NAT process between the inside and outside interfaces.
The global (outside) 1 interface command instructs the ASA Firewall to perform NAT using the IP address assigned to the outside
interface.
Another method of configuring NAT is with the use of access lists. In this case, we define the internal IP addresses to be NATed with the
use of access lists:
ASA5505(config)# access-list NAT-ACLs extended permit ip 10.71.0.0 255.255.255.0 any
ASA5505(config)# global (outside) 1 interface
INFO: outside interface address added to PAT pool
ASA5505(config)# nat (inside) 1 access-list NAT-ACLs
NAT with the use of access lists provides greater flexibility and control which IP addresses or networks will use the NAT service.
With software version 8.3 and newer, things have changed dramatically and there are no more access lists in NAT configuration lines.
The new NAT format now utilizes "object network", "object service" and "object-group network" to define the parameters of the NAT
configuration.
The following commands (software version 8.3 and above) will provide NAT services to our internal networks so they can access the
Internet:
ASA5505(config)# object network network1
ASA5505(config-network-object)# subnet 10.71.0.0 255.255.255.0
ASA5505(config-network-object)# nat (inside,outside) dynamic interface
!
!
CONFIGURING THE ASA DHCP SERVER

The existence of a DHCP server is necessary in most cases as it helps manage the assignment of IP address to our internal hosts. The
ASA Firewall can be configured to provide DHCP services to our internal network, a very handy and welcome feature.
Again, there are some limitations with the DHCP service configuration which vary with the ASA model used. In our ASA5505, the maximum
assigned IP addreses for the DHCP pool was just 128!
Note that the DHCP service can run on all ASA interfaces so it is necessary to specify which interface the DHCP configuration parameters
are for:
ASA5505(config)# dhcpd address 10.71.0.50-10.71.0.200 inside
Warning, DHCP pool range is limited to 128 addresses, set address range as: 10.71.0.50-10.71.0.177
ASA5505(config)# dhcpd address 10.71.0.50-10.71.0.128 inside
ASA5505(config)# dhcpd dns 8.8.8.8 interface inside
Once configured, the DHCP service will begin working and assigning IP addresses to the clients. The Gateway IP address parameter is
automatically provided to client and is not required to be configured on the ASA Firewall appliance.
We can verify the DHCP service is working using the show dhcpd statistics command:
ASA5505(config)# show dhcpd statistics
DHCP UDP Unreachable Errors: 0
DHCP Other UDP Errors: 0
Address pools
Automatic bindings 1
Expired bindings
Malformed messages 0
Message
Received
BOOTREQUEST
DHCPDISCOVER
DHCPREQUEST
DHCPDECLINE
DHCPRELEASE
DHCPINFORM
1
0
0
1
If required, we can clear the DHCP bindings (assigned IP addresses) using the clear dhcpd binding command.
6 of 10
12/6/2014 10:58 PM
CONFIGURE AAA AUTHENTICATION FOR LOCAL DATABASE USER AUTHENTICATION

Configuring AAA authentication is always a good idea as it instructs the ASA Firewall to use the local user database for the various services
it's running. For example, we can tell the ASA Firewall to use a radius server for VPN user authentication, but use its local database for
telnet, ssh or HTTP (ASDM) management access to the Firewall appliance.
As mentioned, our example instructs the ASA Firewall to use its local database:
ASA5505(config)# aaa authentication telnet console LOCAL
ASA5505(config)# aaa authentication http console LOCAL
ASA5505(config)# aaa authentication ssh console LOCAL
ENABLE HTTP MANAGEMENT FOR INSIDE INTERFACE

We now turn to the management settings of our ASA Firewall to enable and configure HTTP management. This will allow access to the
Firewalls management via the popular ASDM management application:
ASA5505(config)# http 10.71.0.0 255.255.255.0 inside
WARNING: http server is not yet enabled to allow ASDM access.
ASA5505(config)# http server enable
The above commands enable HTTP management on the ASA Firewall only for the network 10.71.0.0/24.
ENABLE SSH & TELNET MANAGEMENT FOR INSIDE AND OUTSIDE INTERFACES
Enabling SSH and Telnet access to the Cisco Firewall is pretty straightforward. While we always recommend the use of SSH, especially
when accessing the Firewall from public IPs, telnet is also an option, however, we must keep in mind that telnet management methods do
not provide any security as all data (including username, passwords and configurations) are sent in clear text.
Before enabling SSH, we must generate RSA key pairs for identity certificates. Telnet does not require any such step as it does not provide
any encryption or security:
ASA5505(config)# crypto key generate rsa modulus 1024
INFO: The name for the keys will be:
Keypair generation process begin. Please wait...
ASA5505(config)# ssh 10.71.0.0 255.255.255.0 inside
ASA5505(config)# ssh 200.200.90.5 255.255.255.255 outside
ASA5505(config)# telnet 10.71.0.0 255.255.255.0 inside
Note that the ASA Firewall appliance will only accept SSH connections from host 200.200.90.5 arriving on its public interface, while SSH
and telnet connections are permitted from network 10.71.0.0/24 on the inside interface.
CREATE, CONFIGURE AND APPLY TCP/UDP OBJECT-GROUPS

An essential part of any firewall configure is to define the Internet services our users will have access to. This is done by either creating a
number of lengthy access lists for each protocol/service and then applying them to the appropriate interfaces, or utilising the ASA Firewall
Object-Groups which are then applied to the interfaces. Using Object-groups is easy and recommended as they provide a great deal of
flexibility and ease of management.
The logic is simple: Create your Object-Groups, insert the protocols and services required, and then reference them in the firewall access
-lists. As a last step, we apply them to the interfaces we need.
Lets use an example to help visualise the concept. Our needs require us to create two Object-Groups, one for TCP and one for UDP
services:
ASA5505(config)#object-group service Internet-udp udp
ASA5505(config-service)# description UDP Standard Internet Services
ASA5505(config-service)# port-object eq domain
ASA5505(config-service)# port-object eq ntp
ASA5505(config-service)# port-object eq isakmp
ASA5505(config-service)# port-object eq 4500
!
ASA5505(config-service)#object-group service Internet-tcp tcp
ASA5505(config-service)# description TCP Standard Internet Services
ASA5505(config-service)# port-object eq www
ASA5505(config-service)# port-object eq https
ASA5505(config-service)# port-object eq smtp
ASA5505(config-service)# port-object eq pop3
7 of 10
12/6/2014 10:58 PM

ASA5505(config-service)# port-object eq ftp
ASA5505(config-service)# port-object eq ftp-data
ASA5505(config-service)# port-object eq domain
ASA5505(config-service)# port-object eq ssh
ASA5505(config-service)# port-object eq telnet
Now we need to reference our two Object-groups using the firewall access lists. Here we can also define which networks will have access
to the services listed in each Object-group:
ASA5505(config)# access-list inside-in remark -=[Access Lists For Outgoing Packets from Inside interface]=ASA5505(config)# access-list inside-in extended permit udp 10.71.0.0 255.255.255.0 any object-group Internet-udp
ASA5505(config)# access-list inside-in extended permit tcp 10.71.0.0 255.255.255.0 any object-group Internet-tcp
Note that the 10.71.0.0/25 network has access to both Object-groups services, our other networks are restricted to only the services defined
in the TCP Object-group. To understand how Object-groups help simplify access list management: without them, we would require 37
access lists commands instead of just 4!
CONFIGURATION OF ACCESS-LISTS FOR ICMP PACKETS TO THE INTERNET

To complete our access list configuration we configure our ASA Firewall to allow ICMP echo packets (ping) to any destination, and their
replies (echo-reply):
ASA5505(config)# access-list inside-in extended permit icmp 10.71.0.0 255.255.255.0 any
ASA5505(config)# access-list outside-in remark -=[Access Lists For Incoming Packets on OUTSIDE interface]=ASA5505(config)# access-list outside-in extended permit icmp any any echo-reply
APPLING FIREWALL ACCESS-LISTS TO INSIDE AND OUTSIDE INTERFACES

The last step in configuring our firewall rules involves applying the two access lists, inside-in & outside-in, to the appropriate interfaces.
Once this step is complete the firewall rules are in effect immediately:
ASA5505(config)# access-group inside-in in interface inside
ASA5505(config)# access-group outside-in in interface outside
CONFIGURE LOGGING/DEBUGGING OF EVENTS & ERRORS

This last step in our ASA Firewall configuration guide will enable logging and debugging so that we can easily trace events and errors. It is
highly recommended to enable logging because it will certainly help troubleshooting the ASA Firewall when problems occur.
ASA5505(config)# logging buffered 7
ASA5505(config)# logging buffer-size 30000
ASA5505(config)# logging enable
The commands used above enable log in the debugging level (7) and sets the buffer size in RAM to 30,000 bytes (~30Kbytes).
Issuing the show log command will reveal a number of important logs including any packets that are processed or denied due to accesslists:
ASA5505(config)# show log
Syslog logging: enabled
Facility: 20
Timestamp logging: disabled
Standby logging: disabled
Debug-trace logging: disabled
Console logging: disabled
Monitor logging: disabled
Buffer logging: level debugging, 39925 messages logged
Trap logging: disabled
History logging: disabled
Device ID: disabled
Mail logging: disabled
ASDM logging: disabled
n" [0x0, 0x0]
%ASA-4-106023: Deny tcp src inside:10.71.0.50/54843 dst outside:10.0.0.10/445 by access-group "inside-in" [0x0, 0x0]
8 of 10
12/6/2014 10:58 PM
%ASA-4-106023: Deny udp src inside:10.71.0.50/137 dst outside:10.0.0.10/137 by access-group "inside-in" [0x0, 0x0]
%ASA-6-302014: Teardown TCP connection 4718 for outside:173.194.40.49/443 to inside:10.71.0.50/54803 duration 0:02:00 bytes
1554462 TCP FINs
CONCLUSION
This article serves as an introduction configuration guide for the ASA5500 series Firewall appliances. We covered all necessary commands
required to get any ASA5500 Firewall working and servicing network clients, while also explaining in detail all commands used during the
configuration process.
Back to Cisco Firewalls Section (/cisco-technical-knowledgebase/cisco-firewalls.html)
ARTICLES TO READ NEXT:
CISCO ASA5500 (5505, 5510, 5520, ETC) SERIES FIREWALL S... (/CISCO-TECHNICAL-KNOWLEDGEBASE/CISCOFIREWALLS/964-CISCO-ASA5500-STARTUP.HTML)
(/cisco-technical-knowledgebase/cisco-firewalls/964-cisco-asa5500-startup.html)
9 of 10
12/6/2014 10:58 PM
CCENT/CCNA
CISCO ROUTERS
VPN SECURITY
CISCO HELP
WINDOWS 2012
LINUX
ROUTER BASICS (/CISCO-
SSL WEBVPN
UNDERSTAND DMVPN
VPN CLIENT WINDOWS 8
NEW FEATURES
FILE PERMISSIONS
TECHNICAL-
SECURING ROUTERS
GRE/IPSEC
VPN CLIENT WINDOWS 7
LICENSING
WEBMIN
KNOWLEDGEBASE/CISCO-
POLICY BASED ROUTING
CONFIGURATION
CCP DISPLAY PROBLEM
HYPER-V / VDI
GROUPS - USERS
ROUTERS/250-CISCO-
ROUTER ON-A-STICK
SITE-TO-SITE IPSEC VPN
CISCO SUPPORT APP.
INSTALL HYPER-V
SAMBA SETUP
ROUTER-BASICS.HTML)
IPSEC MODES
SUBNETTING
OSI MODEL
IP PROTOCOL
FIREWALL.CX TEAM
(/MEET-THE-TEAM.HTML)
NEWS
(/NEWS.HTML)
ALTERNATIVE MENU
(/SITE-MAP.HTML)
RECOMMENDED SITES
(/RECOMMENDED-SITES.HTML)
CONTACT US - FEEDBACK
(/CONTACT-US.HTML)
Copyright 2000-2014 Firewall.cx - All Rights Reserved

Information and images contained on this site is copyrighted material.
Firewall.cx - Cisco Networking, VPN - IPSec, Security, Cisco Switching, Cisco Routers, Cisco VoIP- CallManager Express & UC500, Windows Server, Virtualization, Hyper-V Linux Administration
10 of 10
12/6/2014 10:58 PM

Cisco ASA Configuration &amp; Basic Concepts

Încărcat de

Informații document

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Cisco ASA Configuration &amp; Basic Concepts

Încărcat de

Drepturi de autor:

Formate disponibile

Cisco ASA5500 (5505, 5510, 5520, etc) Series Firewall Security Applian...

SATURDAY, 06 DECEMBER 2014

Cisco Firewalls (/cisco-technical-knowledgebase/cisco-firewalls.html)

FREE HYPER-V BACKUP

WEB MONITORING &

CISCO ASA5500 (5505, 5510, 5520, ETC) SERIES FIREWALL

INTRODUCING THE CISCO ASA 5500 SERIES FIREWALL APPLIANCE

Firewall Throughput Up to 150 Mbps Up to 300

Cisco ASA 5505 Cisco ASA

Up to 150 Mbps Up to 150

and IPS Throughput with AIP-SSC-5

Up to 100 Mbps Up to 170

IPsec VPN Peers

Notify me of new articles

(including 2 PoE ports; 2

1 Fast Ethernet 1 Fast

series Firewalls which is Great News!

FTP / TFTP Servers

Free Hyper-V Backup

ASA5500 SERIES CONFIGURATION CHECK-LIST

items that will be covered in this article:

Erase existing configuration

Configure interface IP addresses or Vlan IP addresses (ASA5505) & Descriptions

Configure default route (default Gateway) & static routes

Configure Network Address Translation (NAT) for Internal Networks

Configure AAA authentication for local database user authentication

Create, configure and apply TCP/UDP Object-Groups to firewall access lists

Configuration of access-lists for ICMP packets to the Internet

CISCO AUTHORS & CCIE

Apply Firewall access lists to inside and outside interfaces

Configure logging/debugging of events and errors

CISCO PRESS REVIEW

ASA5505(config)# write memory

3270 bytes copied in 1.520 secs (3270 bytes/sec)

DMVPN Configuration (/ciscotechnical-knowledgebase

startup-config otherwise well have to start this process again:

Cisco IP SLA (/cisco-technicalknowledgebase/cisco-routers

ciscoasa(config)# write erase

Erase configuration in flash memory? [confirm]

VLAN Security (/cisco-

System config has been modified. Save? [Y]es/[N]o: N

Proceed with reload? [confirm]

4507R-E Installation (/cisco-

*** --- START GRACEFUL SHUTDOWN ---

Shutting down isakmp

Shutting down webvpn

Shutting down File system

CallManager Express Intro

*** --- SHUTDOWN NOW ---

Process shutdown finished

CONFIGURE HOSTNAME, USERS, 'ENABLE' PASSWORD & DISABLE ANONYMOUS REPORTING

required to gain access to privileged mode:

Site-to-Site VPN (/ciscotechnical-knowledgebase

FREE CISCO LAB

which allows Cisco to securely receive minimal error and health

Please remember to save your configuration.

with our setup:

ciscoasa(config)# hostname ASA5505

ASA5505(config)# enable password firewall.cx

ASA5505(config)# username admin password s1jw$528ds2 privilege 15

CONFIGURE INTERFACE IP ADDRESSES / VLAN IP ADDRESSES & DESCRIPTIONS

of the device, existing network setup and more.

Linux DHCP Server (/linux-

characterised as inside (private) or outside (public) interfaces:

Cisco ASA Configuration & Basic Concepts

Cisco ASA Configuration & Basic Concepts