NETWORKS TRAINING

Cisco ASA 5505 Basic Configuration Tutorial

ADVERTISEMENT

TheCiscoASA5505Firewallisthesmallestmodelinthenew5500Ciscoseriesofhardwareappliances.Although
thismodelissuitableforsmallbusinesses,branchofficesorevenhomeuse,itsfirewallsecuritycapabilitiesarethe
sameasthebiggestmodels(5510,5520,5540etc).TheAdaptiveSecuritytechnologyoftheASAfirewallsoffers
solidandreliablefirewallprotection,advancedapplicationawaresecurity,denialofserviceattackprotectionand
muchmore.Moreover,theperformanceoftheASA5505appliancesupports150Mbpsfirewallthroughputand4000
firewallconnectionspersecond,whichismorethanenoughforsmallnetworks.
EDIT:TherearenewermodelsthatwillreplacetheASA5505asdescribedhere.
InthisarticleIwillexplainthebasicconfigurationstepsneededtosetupaCisco5505ASAfirewallforconnectinga
smallnetworktotheInternet.WeassumethatourISPhasassignedusastaticpublicIPaddress(e.g200.200.200.1
asanexample)andthatourinternalnetworkrangeis192.168.1.0/24.WewillusePortAddressTranslation(PAT)to
translateourinternalIPaddressestothepublicaddressoftheoutsideinterface.Thedifferenceofthe5505model
fromthebiggerASAmodelsisthatithasan8port10/100switchwhichactsasLayer2only.Thatis,youcannot
configurethephysicalportsasLayer3ports,ratheryouhavetocreateinterfaceVlansandassigntheLayer2
interfacesineachVLAN.Bydefault,interfaceEthernet0/0isassignedtoVLAN2anditstheoutsideinterface(the
onewhichconnectstotheInternet),andtheother7interfaces(Ethernet0/1to0/7)areassignedbydefaulttoVLAN1
andareusedforconnectingtotheinternalnetwork.Letsseethebasicconfigurationsetupofthemostimportant
stepsthatyouneedtoconfigure.Thediagrambelowillustratesthenetworktopologyfortheconfigurationsetupthat
wewilldescribe.NoticefromthediagramthatportEthernet0/0connectstotheInternet,andportsEthernet0/1to7
connecttointernalhosts(PCcomputersetc).

Step1:Configuretheinternalinterfacevlan
ASA5505(config)#interfaceVlan1
ASA5505(configif)#nameifinside
ASA5505(configif)#securitylevel100
ASA5505(configif)#ipaddress192.168.1.1255.255.255.0
ASA5505(configif)#noshut
Step2:Configuretheexternalinterfacevlan(connectedtoInternet)
ASA5505(config)#interfaceVlan2
ASA5505(configif)#nameifoutside
ASA5505(configif)#securitylevel0
ASA5505(configif)#ipaddress200.200.200.1255.255.255.0
ASA5505(configif)#noshut
Step3:AssignEthernet0/0toVlan2
ASA5505(config)#interfaceEthernet0/0
ASA5505(configif)#switchportaccessvlan2
ASA5505(configif)#noshut
Step4:Enabletherestinterfaceswithnoshut
ASA5505(config)#interfaceEthernet0/1
ASA5505(configif)#noshut
DothesameforEthernet0/1to0/7.
Step5:ConfigurePATontheoutsideinterface
ASA5505(config)#global(outside)1interface
ASA5505(config)#nat(inside)10.0.0.00.0.0.0
UPDATEforASAVersion8.3andlater
FromMarch2010,CiscoannouncedthenewCiscoASAsoftwareversion8.3.Thisversionintroducedseveral
importantconfigurationchanges,especiallyontheNAT/PATmechanism.Theglobalcommandisnolonger
supported.NAT(staticanddynamic)andPATareconfiguredundernetworkobjects.ThePATconfigurationbelowis
forASA8.3andlater:
objectnetworkobj_any
subnet0.0.0.00.0.0.0
nat(inside,outside)dynamicinterface
Step6:ConfiguredefaultroutetowardstheISP(assumedefaultgatewayis200.200.200.2)
ASA5505(config)#routeoutside0.0.0.00.0.0.0200.200.200.21
Theabovestepsaretheabsolutelynecessarystepsyouneedtoconfigureformakingtheapplianceoperational.Of