Chapter 9:

Implementing the Cisco Adaptive

Security Appliance

CCNA Security v2.0

 9.0 Introduction
9.1 Introduction to the ASA
9.2 ASA Firewall Configuration
9.3 Summary

2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
 Upon completion of this section, you should be able to:
Compare ASA solutions to other routing firewall technologies.

Explain ASA 5505 operation with the default configuration.

2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
 Small Office and Branch Office ASA Models

2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
 Internet Edge Models

2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
 Enterprise Data Center Models

2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
 ASA Virtualization

2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
 High Availability

2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
 Identity Firewall

2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
 ASA Threat Control

2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
 Permitted Traffic

DeniedTraffic

2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
 Routed Mode Transparent Mode

2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
 Base License Specifics

2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
 Security Plus License
Specifics

2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
 show version Command Output

2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
 ASA 5505 Back
Panel

ASA 5505 Front

Panel

2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Security Level Control:
Network Access

Inspection Engines

Application Filtering

2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
 ASA Deployment in a Small Branch

ASA Deployment in a Small

Business

2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
 ASA Deployment in an Enterprise

2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
 Upon completion of this section, you should be able to:
Explain what ASA firewall services are enabled using the default configuration.

Configure an ASA to provide basic firewall services.

Configure object groups on an ASA.

Configure access lists with object groups on an ASA.

Configure an ASA to provide NAT services.

Configure access control using the local database and AAA server.

Explain how the Cisco Modular Framework (MPF) is used to configure ASA policies.

2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
 Base License
Specifics

Security Plus
License Specifics

2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
show version Command Output

2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
 ASA 5505 Default
Configuration Overview.

2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Entering the ASA 5505 Setup Initialization Wizard

2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Entering Global Configuration Mode Example

2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
ASA Basic Configuration Commands

2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
 Configuring Basic Settings

Enabling AES Encryption

Example

2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
 Local VLAN Interface
Commands

Configuring IP Addresses
on VLAN Interfaces

2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
 Configuring VLAN Interfaces Example

2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
 Configuring Layer 2
Ports Example

Verifying VLAN Port

Assignment Example

2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
 Verifying Interfaces
Example

Verifying IP
Addresses Example

2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Telnet Configuration Commands

Telnet Configuration Commands Example

2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
 SSH Configuration Commands

Configuring SSH Access Example

2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
 NTP Authentication Commands

Configuring NTP Example

2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
 DHCP Server Commands

Configuring DHCP Server Example

2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
Network Object Commands

Configuring a Network Object Example

2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Service Object Options Example

2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Common Service Object Commands

Configuring a Service Object Example

2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
 Network Object Group
Example

ICMP-type Object Group

Example

2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
 Services Object Group Example

2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
 Services Object Group Example

2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
 ASA ACL and IOS ACL
Similarities

ASA ACL and IOS ACL

Similarities

2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
 Higher Levels Allowed
To Lower Levels

Lower Levels Denied To

Higher Levels

2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
 Extended ACL Examples

Standard ACL
Example

IPv6 ACL Example

2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
ACL Command Parameters

2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
Condensed Extended ACL Syntax

2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
 ASA ACL Elements

2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
access-group Command Syntax

2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
ACL Reference Topology

2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
 Extended ACL
Configuration
Example

Verifying the ACL

2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
 Condensed Extended ACL Syntax with Object Groups

ACL Reference Topology

2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
 ACL and Object
Group
Configuration
Example

Verifying the ACL and Object Group Configuration Example

2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
 Types of NAT Deployments:
Inside NAT

Outside NAT

Bidirectional NAT

2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
 Dynamic NAT Reference Topology

2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
 Dynamic NAT Configuration
Example

Enable Return
Traffic Example

Verifying the Dynamic

NAT Configuration
Example

2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
 Dynamic PAT Configuration Example

Verifying the Dynamic PAT Configuration Example

2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
 Configure the DMZ
Interface Example

Static NAT
Configuration
Example

2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
Verifying the Static NAT Configuration Example

2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
RADIUS and TACACS+ Server Commands

Sample AAA TACACS+ Server Configuration

2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
Implementing Modular Policy Framework

2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
Default Service Policy Configuration

2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
 Chapter Objectives:
Explain how the ASA operates as an advanced stateful firewall.

Implement an ASA firewall configuration.

2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
Thank you.
 Remember, there are
helpful tutorials and user
guides available via your
NetSpace home page. 1
(https://www.netacad.com) 2
These resources cover a
variety of topics including
navigation, assessments,
and assignments.
A screenshot has been
provided here highlighting
the tutorials related to
activating exams, managing
assessments, and creating
quizzes.

2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 80