Cisco ASA5500 (5505, 5510, 5520, Etc) Series Firewall Security Appliance Startup Configuration & Basic Concepts

(http://www.firewall.
cx)
FIREWALL.CXTEAM
NEWS
ALTERNATIVEMENU
RECOMMENDEDSITES
CONTACTUSFEEDBACK
(/MEETTHETEAM.HTML)
(/NEWS.HTML)
(/SITEMAP.HTML)
(/RECOMMENDEDSITES.HTML)
(/CONTACTUS.HTML)
HOME
(/)
NETWORKING
(/networking-topics.html)
(/microsoft-knowledgebase.html)
MICROSOFT
DOWNLOADS
(/downloads.html)
FORUM
LINUX
CISCO
(/cisco-technical-knowledgebase.html)
(/linux-knowledgebase-tutorials.html)
MORE CONTENT
(/general-topics-reviews.html)
(/forums.html)
WEDNESDAY,16DECEMBER2015
search...
HOT DOWNLOADS
(http://clixtrac.com/goto/?99229)
NETWORK SECURITY
FREE HYPERV &
AUTOMATED ONLINE
SCANNER
VMWARE BACKUP
WEB SECURITY SCAN
(HTTP://CLIXTRAC.COM/GOTO/? (HTTP://CLIXTRAC.COM/GOTO/? (HTTP://CLIXTRAC.COM/GOTO/?
NETWORK SECURITY
SCANNER
(/component/banners/click/3.html)
CISCO ASA5500 (5505, 5510, 5520, ETC) SERIES FIREWALL

SECURITY APPLIANCE STARTUP CONFIGURATION & BASIC
CONCEPTS
WRITTENBYADMINISTRATOR.POSTEDINCISCOFIREWALLSASA&PIXFIREWALLCONFIGURATION(/CISCOTECHNICALKNOWLEDGEBASE/CISCO
FIREWALLS.HTML)
(http://clixtrac.com/goto/?
99232)
FREE HYPERV &

VMWARE BACKUP
Rating4.81(16Votes)
Share
Tweet
Like
Share 189peoplelikethis.SignUpto
seewhatyourfriendslike.
INTRODUCING THE CISCO ASA 5500 SERIES FIREWALL APPLIANCE

TheCiscoASA5500seriessecurityapplianceshavebeenaroundforquitesometime
and are amongst the most popular hardware firewalls available in the market. Today
Firewall.cx(http://www.firewall.cx)takesalookathowtoeasilysetupaCiscoASA5500
series firewall to perform basic functions, more than enough to provide secure &
210273)
restricted access to the Internet, securely access and manage the ASA Firewall and
more.
While many consider the Cisco ASA Firewalls complex and difficult to configure
devices, Firewall.cx aims to break that myth and show how easy you can setup an ASA Firewall to deliver basic and advanced
functionality.WevedoneitwithotherCiscotechnologiesanddevices,andwelldoitagain:)
RECOMMENDED
DOWNLOADS
WebSecurity
99233)
ThetablebelowprovidesabriefcomparisonbetweenthedifferentASA5500seriessecurityappliances:
FreeHyperV&VMware
Backup
Feature
CiscoASA5505 CiscoASA
5510
CiscoASA
CiscoASA
CiscoASA
5520
5540
5550
210270)
ServerAntiSpam
Users/Nodes
10,50,or
unlimited
Unlimited
Unlimited
Unlimited
Unlimited
99234)
NetworkScanner
FirewallThroughput Upto150Mbps Upto300

Mbps
Upto450
Upto650
Upto1.2
Mbps
Mbps
Gbps
99235)
IDSSecurityManager
MaximumFirewall
Upto150
andIPSThroughput MbpswithAIP
SSC5
Upto150
Upto225
Upto500
Mbpswith
MbpswithAIP Mbpswith
AIPSSM10 SSM10
AIPSSM20
Upto300
Upto375
Upto650
Mbpswith
MbpswithAIP Mbpswith
AIPSSM20 SSM20
Notavailable
99236)
WebProxyMonitor
99237)
NetworkAnalyzerSniffer
AIPSSM40
195370)
Upto450
CiscoVPNClient
MbpswithAIP
(/downloads/ciscotoolsa
SSM40
applications.html)
NetworkFaxServer
3DES/AESVPN
Upto100Mbps Upto170
***
Throughput
Mbps
Upto225
Upto325
Upto425
Mbps
Mbps
Mbps
100607)
ForensicSecurityAnalysis
IPsecVPNPeers
1025
250
750
5000
5000
195375)
WebVulnerabilityScanner
Premium
2/25
2/250
2/750
2/2500
2/5000
AnyConnectVPN
191594)
Peers
(Included/Maximum)
Concurrent
WEBSITE SCANNER
10,00025,000*
New
50,000
280,000
400,000
650,000
130,000*
Connections
4000
9000
12,000
25,000
33,000
IntegratedNetwork
8portFast
5Fast
4Gigabit
4Gigabit
8Gigabit
Ports
Ethernetswitch Ethernet
Ethernet,
Ethernet,
Ethernet,
(including2PoE ports2
1Fast
1Fast
4SFPFiber,
ports)
Ethernet
Ethernet
1Fast
Connections/Second
Gigabit
Ethernet+3
Ethernet
211418)
NETWORK ANALYZER
Fast
Ethernet
ports *
VirtualInterfaces
3(notrunking
(VLANs)
support)/20(with
50/100*
150
200
400
trunking
support)*
195373)
Userscanalsodownloadthecompletetechnicaldatasheet(/downloads/ciscoproductdatasheetsaguides/ciscoasa5500series
adaptivesecurityappliances.html)fortheCiscoASA5500seriesfirewallsbyvisitingourCiscoProductDatasheet&GuidesDownload
section(/downloads/ciscoproductdatasheetsaguides.html).
(http://www.linkedin.com/groups?
(https://www.facebook.com/fire
(http://twitter.com/firewall
(http://feeds.feedbu
CONNECT:home=&gid=1037867)
Perhaps one of the most important points, especially for an engineer with limited experience, is that configuring the smaller ASA 5505
Firewall does not really differ from configuring the larger ASA5520 Firewall. The same steps are required to setup pretty much all ASA
5500seriesFirewallswhichisGreatNews!
FACEBOOK LIKE US!

Firewall
LikePage
POPULAR SECURITY
ARTICLES
ImplicationsofUnsecure
Webservers&Websites
(/generaltopics
The main differences besides the licenses, which enable or disable features, are the physical interfaces of each ASA model (mainly
reviews/security
betweentheASA5505andthelarger5510/5520)andpossiblymodulesthatmightbeinstalled.Inanycase,weshouldkeepinmindthatif
articles/1072implications
weareabletoconfigureasmallASA5505thenconfiguringthelargermodelswontbeanissue.
ofunsecurewebservers
andwebsitesfor
At the time of writing of this article Firewall.cx came across a Cisco ASA5505, so we decided to put it to good use for this article,
oganizations
however,donotethatallcommandsandconfigurationphilosophyisthesameacrossallASA5500seriessecurityappliances.
companies.html)
TheImportanceof
Note:ASAsoftwareversion8.3.0andaboveusedifferentNATconfigurationcommands.Thisarticleprovidesbotholdstyle(up
AutomatingWebSecurity
tov8.2.5)andnewstyle(v8.3onwards)NATconfigurationcommands.
PenetrationTesting
(/generaltopics
reviews/security
articles/1074automation
webapplicationsecurity
Additionalreadingmaterial:UsersseekingnothingbutthebestsecurityinformationonASAFirewalls,writtenbyleadingCiscoSecurity
testing.html)
Engineers,shouldconsiderthefollowinghighlyrecommendedCiscoPresstitles:
ChoosingaWebApplication
SecurityScanner(/general
topicsreviews/security
CiscoASA:AllinOneFirewall,IPS,AntiX,andVPNAdaptiveSecurityAppliance,2ndEdition
(http://www.ciscopress.com/store/ciscoasaallinonefirewallipsantixandvpnadaptive9781587058196)
articles/1083choosingweb
CiscoASA,PIX,andFWSMFirewallHandbook,2ndEdition(http://www.ciscopress.com/store/ciscoasapixandfwsm
firewallhandbook9781587054570)
scanner.html)
applicationsecurity
StatisticsHighlightthe
StateofSecurityofWeb
Applications(/general
ASA5500 SERIES CONFIGURATION CHECKLIST
articles/1073stateof
WevecreatedasimpleconfigurationchecklistthatwillhelpuskeeptrackoftheconfiguredservicesonourASAFirewall.Hereisthelist
securityofweb
ofitemsthatwillbecoveredinthisarticle:
applications.html)
ComparingNetsparker
Eraseexistingconfiguration
Cloud&Desktopbased
SecuritySoftware(/general
ConfigureHostname,Users,Enablepassword&DisableAnonymousReporting
ConfigureinterfaceIPaddressesorVlanIPaddresses(ASA5505)&Descriptions
SetupInside(private)&Outside(public)Interfaces
Configuredefaultroute(defaultGateway)&staticroutes
topicsreviews/cloudbased
solutions/1079cloudbased
vsdesktopbasedsecurity
solutions.html)
HowtoProtectyour
WebsitesandWebServer
fromHackers(/general
ConfigureNetworkAddressTranslation(NAT)forInternalNetworks
articles/1092securitytips
ConfigureASADHCPServer
ConfigureAAAauthenticationforlocaldatabaseuserauthentication
howtoprotectyour
websitesandwebservers
fromhackers.html)
EnableHTTPManagementforinsideinterface
EnableSSH&TelnetManagementforinsideandoutsideinterfaces
CISCO PRESS REVIEW

PARTNER
Create,configureandapplyTCP/UDPObjectGroupstofirewallaccesslists
ConfigurationofaccesslistsforICMPpacketstotheInternet
ApplyFirewallaccessliststoinsideandoutsideinterfaces
Configurelogging/debuggingofeventsanderrors
Note: it is highly advisable to frequently save the ASA configuration to ensure no work is lost in the event of a power failure or accident
restart.
(/sitenews/316firewall
ciscopress.html)
Notifymeofnewarticles
Name
Savingtheconfigurationcanbeeasilydoneusingthewritememorycommand:
Email
ASA5505(config)#writememory
Buildingconfiguration...
Subscribe
Cryptochecksum:c0aee665598d7cd37fbfe1a5a2d40ab1
3270bytescopiedin1.520secs(3270bytes/sec)
[OK]
CISCO MENU
CISCOROUTERS
(/ciscotechnical
ERASING EXISTING CONFIGURATION

Thisfirststepisoptionalasitwillerasethefirewallsconfiguration.Ifthefirewallhasbeenpreviouslyconfiguredoruseditisagoodidea
to start off with the factory defaults. If we are not certain, we prefer to wipe it clean and start from scratch. Once the configuration is
deletedweneedtoforceareboot,however,takenotethatitsimportantnottosavethesystemconfigtoensuretherunningconfigisnot
copiedtothestartupconfigotherwisewellhavetostartthisprocessagain:
ciscoasa(config)#writeerase
Eraseconfigurationinflashmemory?[confirm]
knowledgebase/cisco
routers.html)
CISCOSWITCHES
(/ciscotechnical
knowledgebase/cisco
switches.html)
CISCOVOIP/CCME
CALLMANAGER
[OK]
(/ciscotechnical
ciscoasa(config)#reload
knowledgebase/cisco
Systemconfighasbeenmodified.Save?[Y]es/[N]o:N
voice.html)
Proceedwithreload?[confirm]
CISCOFIREWALLS
ciscoasa(config)#
***
***STARTGRACEFULSHUTDOWN
Shuttingdownisakmp
Shuttingdownwebvpn
(/ciscotechnical
knowledgebase/cisco
firewalls.html)
CISCOWIRELESS
ShuttingdownFilesystem
(/ciscotechnical
***
knowledgebase/cisco
***SHUTDOWNNOW
wireless.html)
Processshutdownfinished
CISCOSERVICES&
Rebooting.....
TECHNOLOGIES
(/ciscotechnical
knowledgebase/cisco
servicestech.html)
CONFIGURE HOSTNAME, USERS, 'ENABLE' PASSWORD & DISABLE ANONYMOUS REPORTING
CONFIGURE HOSTNAME, USERS, 'ENABLE' PASSWORD & DISABLE ANONYMOUS REPORTING
CISCOAUTHORS&CCIE
Next,weneedtoconfiguretheEnablepassword,requiredforprivilegedexecmodeaccess,andthenuseraccountsthatwillhaveaccess
INTERVIEWS
tothefirewall.
(/ciscotechnical
knowledgebase/ccie
The ASA Firewall wont ask for a username/password when logging in next, however, the default enable password of cisco, will be
experts.html)
requiredtogainaccesstoprivilegedmode:
Ciscoasa>enable
Password:cisco
ciscoasa#configureterminal
ciscoasa(config)#
*****************************NOTICE*****************************
HelptoimprovetheASAplatformbyenablinganonymousreporting,
whichallowsCiscotosecurelyreceiveminimalerrorandhealth
informationfromthedevice.Tolearnmoreaboutthisfeature,
pleasevisit:http://www.cisco.com/go/smartcall
Wouldyouliketoenableanonymouserrorreportingtohelpimprove
theproduct?[Y]es,[N]o,[A]sklater:N
Inthefuture,ifyouwouldliketoenablethisfeature,
issuethecommand"callhomereportinganonymous".
Pleaseremembertosaveyourconfiguration.
At this point we need to note that when starting off with the factory default configuration, as soon as we enter the configure
terminal command, the system will ask if we would like to enable Ciscos callhome reporting feature. We declined the offer and
continuedwithoursetup:
ciscoasa(config)#hostnameASA5505
ASA5505(config)#enablepasswordfirewall.cx
ASA5505(config)#usernameadminpasswords1jw$528ds2privilege15
The privilege 15 parameter at the end of the command line ensures the system is aware that this is an account with full privileges and
has access to all configuration commands including erasing the configuration and files on the devices flash disk, such as the operating
system.
POPULAR CISCO
ARTICLES
DMVPNConfiguration(/cisco
technical
knowledgebase/cisco
routers/901ciscorouter
dmvpnconfiguration.html)
CiscoIPSLA(/cisco
technical
knowledgebase/cisco
routers/813ciscorouteripsla
basic.html)
VLANSecurity(/cisco
technical
knowledgebase/cisco
switches/818ciscoswitches
vlansecurity.html)
4507REInstallation(/cisco
technical
knowledgebase/cisco
switches/948ciscoswitches
4507rewsx45sup7le
installation.html)
CallManagerExpressIntro
(/ciscotechnical
knowledgebase/cisco
voice/371ciscoccmepart
1.html)
SecureCMESRTP&TLS
(/ciscotechnical
CONFIGURE INTERFACE IP ADDRESSES / VLAN IP ADDRESSES & DESCRIPTIONS
knowledgebase/cisco
Depending on the ASA appliance we have, we can configure physical interfaces (inside/outside) with IP addresses, usually done with
securevoip.html)
ASA5510andlargermodels,orcreateVLANs(inside/outside)andconfigurethemwithIPaddresses,usuallywiththesmallerASA5505
CiscoPasswordCrack(/cisco
models.
technical
voice/956ciscovoicecme
knowledgebase/cisco
InmanycasesnetworkengineersuseVLANinterfacesonthelargerASA5500models,however,thisdependsonthelicensingcapabilities
routers/358ciscotype7
ofthedevice,existingnetworksetupandmore.
passwordcrack.html)
InthecaseoftheASA5505wemustuseVLANinterfaces,whichareconfiguredwiththeirappropriateIPaddressesandthen(nextstep)
characterisedasinside(private)oroutside(public)interfaces:
ASA5505(config)#interfacevlan1
ASA5505(config)#descriptionPrivateInterface
SitetoSiteVPN(/cisco
technical
knowledgebase/cisco
routers/867ciscoroutersite
tositeipsecvpn.html)
ASA5505(configif)#ipaddress10.71.0.1255.255.255.0
ASA5505(configif)#noshutdown
!
FREE CISCO LAB

PARTNER
ASA5505(config)#descriptionPublicInterface
ASA5505(configif)#ipaddress192.168.3.50255.255.255.0
99238)
ASA5505(config)#interfaceethernet0/0
ASA5505(configif)#switchportaccessvlan2
POPULAR LINUX
ARTICLES
LinuxInit&RunLevels(/linux
Alternatively,thePublicinterface(VLAN2)canbeconfiguredtoobtainitsIPaddressautomaticallyviaDHCPwiththefollowing
knowledgebasetutorials/linux
command:
administration/845linux
administrationrunlevels.html)
LinuxGroups&Users(/linux
ASA5505(config)#descriptionPublicInterface
ASA5505(configif)#ipaddressdhcpsetroute
groupsuseraccounts.html)
LinuxPerformanceMonitoring
ThesetrouteparameterattheendofthecommandwillensuretheASAFirewallsetsitsdefaultroute(gateway)usingthedefaultgateway
(/linuxknowledgebase
parametertheDHCPserverprovides.
tutorials/linux
AfterconfiguringVLAN1&VLAN2withtheappropriateIPaddresses,weconfiguredethernet0/0asanaccesslinkforVLAN2sowecan
useitasaphysicalpublicinterface.Outofthe8totalEthernetinterfacestheASA5505has,atleastonemustbesetwiththeswitchport
accessvlan2otherwisetherewontbeanyphysicalpublicinterfaceontheASAforourfrontendroutertoconnectto.Ethernetports0/1 to
0/7mustalsobeconfiguredwiththeno shutdown command in order make them operational. All of these ports are, by default, access
linksforVLAN1.Providedaretheconfigurationcommandsforthefirsttwoethernetinterfaceastheconfigurationisidenticalforall:
systemresource
monitoring.html)
LinuxVimEditor(/linux
ASA5505(config)#interfaceethernet0/1
ASA5505(configif)#interfaceethernet0/2
vi.html)
LinuxSamba(/linux
knowledgebase
tutorials/systemandnetwork
services/848linuxservices
samba.html)
LinuxDHCPServer(/linux
SETUP INSIDE (PRIVATE) & OUTSIDE (PUBLIC) INTERFACES
knowledgebase
tutorials/systemandnetwork
Next, we must designate the Inside (private) and Outside (public) interfaces. This step is essential and will help the ASA Firewall
services/849linuxservices
understandwhichinterfaceisconnectedtothetrusted(private)anduntrusted(public)network:
dhcpserver.html)
LinuxBindDNS(/general
topicsreviews/linuxunix
ASA5505(configif)#nameifinside
related/829linuxbind
INFO:Securitylevelfor"inside"setto100bydefault.
introduction.html)
LinuxFile&Folder
Permissions(/generaltopics
ASA5505(configif)#nameifoutside
reviews/linuxunix
INFO:Securitylevelfor"outside"setto0bydefault.
related/introductionto
linux/299linuxfilefolder
TheASAFirewallwillautomaticallysetthesecuritylevelto100forinsideinterfacesand0tooutsideinterfaces.Trafficcanflowfrom
highersecuritylevelstolower(privatetopublic),butnottheotherwayaround(publictoprivate)unlessstatedbyanaccesslists.
permissions.html)
LinuxOpenMosix(/general
topicsreviews/linuxunix
To change the securitylevel of an interface use the securitylevel xxx command by substituting xxx with a number from 0 to 100. The
related/openmosixlinux
higherthenumber,thehigherthesecuritylevel.DMZinterfacesareusuallyconfiguredwithasecuritylevelof50.
supercomputer.html)
LinuxNetworkConfig(/linux
Itisextremelyimportantthenecessarycautionistakenwhenselectingandapplyingtheinside/outsideinterfacesonanyASAFirewall.
servicestcpip.html)
CONFIGURE DEFAULT ROUTE (DEFAULT GATEWAY) & STATIC ROUTES

ThedefaultrouteconfigurationcommandisnecessaryfortheASAFirewalltoroutepacketsoutsidethenetworkviathenexthop,usually
BANDWIDTH
MONITORING
a router. In case the public interface (VLAN2) is configured using the ip address dhcp setroute command, configuration of the default
gatewayisnotrequired.
ASA5505(config)#routeoutside0.0.0.00.0.0.0192.168.3.1
Atthispoint,itsagoodideatotrytestingthenexthoprouterandconfirmtheASAFirewallcanreachit:
ASA5505(config)#ping192.168.3.1
Typeescapesequencetoabort.
Sending5,100byteICMPEchosto192.168.3.1,timeoutis2seconds:
!!!!!
Successrateis100percent(5/5),roundtripmin/avg/max=1/1/1ms
99758)
RSS SUBSCRIPTION
SubscribetoFirewall.cxRSS
FeedbyEmail
(http://feedburner.google.com/fb/a/mailverify?
uri=firewallcx&loc=en_US)
FornetworkswithmultipleinternalVLANs,itisnecessarytoconfigurestaticroutestoensuretheASAFirewallknowshowtoreachthem.
UsuallythesenetworkscanbereachedviaaLayer3switchoraninternalrouter.Forourexample,wellassumewehavetwonetworks:
10.75.0.0/24&10.76.0.0/24whichweneedtoprovideInternetaccessto.TheseadditionalnetworksarecontactableviaaLayer3device
withIPaddress10.71.0.100:
CONFIGURE NETWORK ADDRESS TRANSLATION (NAT) FOR INTERNAL NETWORKS

ThisisthelaststeprequiredtosuccessfullyprovideInternetaccesstoourinternalnetworks.NetworkAddressTranslationisessentialto
masqueradeourinternalnetworkusingthesingleIPaddressourPublicinterfacehasbeenconfiguredwith.NetworkAddressTranslation,
alongwithallitsvariations(Static,Dynamicetc),iscoveredingreatdepthinourpopularNetworkAddressTranslation(/networking
topics/networkaddresstranslationnat.html)section.
WeshouldnoteatthispointthatNATconfigurationhasslightlychangedwithASAsoftwareversion8.3andabove.Wewillprovideboth
commandstocoverinstallationswithsoftwareversionuptov8.2.5andfromv8.3andabove.
ThefollowingcommandsapplytoASAapplianceswithsoftwareversionupto8.2.5:
ASA5505(config)#global(outside)1interface
INFO:outsideinterfaceaddressaddedtoPATpool
ASA5505(config)#nat(inside)110.71.0.0255.255.255.0
Intheaboveconfiguration,theASAFirewallisinstructedtoNATallinternalnetworksusingtheNATGroup1.Thenumber1isusedto
identifytheNATgroupsfortheNATprocessbetweentheinsideandoutsideinterfaces.
The global (outside) 1 interface command instructs the ASA Firewall to perform NAT using the IP address assigned to the outside
interface.
AnothermethodofconfiguringNATiswiththeuseofaccesslists.Inthiscase,wedefinetheinternalIPaddressestobeNATedwiththe
useofaccesslists:
ASA5505(config)#accesslistNATACLsextendedpermitip10.71.0.0255.255.255.0any
ASA5505(config)#global(outside)1interface
INFO:outsideinterfaceaddressaddedtoPATpool
ASA5505(config)#nat(inside)1accesslistNATACLs
NATwiththeuseofaccesslistsprovidesgreaterflexibilityandcontrolwhichIPaddressesornetworkswillusetheNATservice.
Withsoftwareversion8.3andnewer,thingshavechangeddramaticallyandtherearenomoreaccesslistsinNATconfigurationlines.
The new NAT format now utilizes "object network", "object service" and "objectgroup network" to define the parameters of the NAT
configuration.
The following commands (software version 8.3 and above) will provide NAT services to our internal networks so they can access the
Internet:
ASA5505(config)#objectnetworknetwork1
ASA5505(confignetworkobject)#subnet10.71.0.0255.255.255.0
ASA5505(confignetworkobject)#nat(inside,outside)dynamicinterface
!
!
CONFIGURING THE ASA DHCP SERVER

TheexistenceofaDHCPserverisnecessaryinmostcasesasithelpsmanagetheassignmentofIPaddresstoourinternalhosts.The
ASAFirewallcanbeconfiguredtoprovideDHCPservicestoourinternalnetwork,averyhandyandwelcomefeature.
Again, there are some limitations with the DHCP service configuration which vary with the ASA model used. In our ASA5505, the
maximumassignedIPaddresesfortheDHCPpoolwasjust128!
NotethattheDHCPservicecanrunonallASAinterfacessoitisnecessarytospecifywhichinterfacetheDHCPconfigurationparameters
arefor:
ASA5505(config)#dhcpdaddress10.71.0.5010.71.0.200inside
Warning,DHCPpoolrangeislimitedto128addresses,setaddressrangeas:10.71.0.5010.71.0.177
ASA5505(config)#dhcpdaddress10.71.0.5010.71.0.128inside
ASA5505(config)#dhcpddns8.8.8.8interfaceinside
Onceconfigured,theDHCPservicewillbeginworkingandassigningIPaddressestotheclients.TheGateway IP address parameter is
automaticallyprovidedtoclientandisnotrequiredtobeconfiguredontheASAFirewallappliance.
WecanverifytheDHCPserviceisworkingusingtheshowdhcpdstatisticscommand:
ASA5505(config)#showdhcpdstatistics
DHCPUDPUnreachableErrors:0
DHCPOtherUDPErrors:0
Addresspools1
Automaticbindings1
Expiredbindings0
Malformedmessages0
MessageReceived
BOOTREQUEST0
DHCPDISCOVER1
DHCPREQUEST1
DHCPDECLINE0
DHCPRELEASE0
DHCPINFORM1
Ifrequired,wecancleartheDHCPbindings(assignedIPaddresses)usingthecleardhcpdbindingcommand.
CONFIGURE AAA AUTHENTICATION FOR LOCAL DATABASE USER AUTHENTICATION

Configuring AAA authentication is always a good idea as it instructs the ASA Firewall to use the local user database for the various
services it's running. For example, we can tell the ASA Firewall to use a radius server for VPN user authentication, but use its local
databasefortelnet,sshorHTTP(ASDM)managementaccesstotheFirewallappliance.
Asmentioned,ourexampleinstructstheASAFirewalltouseitslocaldatabase:
ASA5505(config)#aaaauthenticationtelnetconsoleLOCAL
ASA5505(config)#aaaauthenticationhttpconsoleLOCAL
ASA5505(config)#aaaauthenticationsshconsoleLOCAL
ENABLE HTTP MANAGEMENT FOR INSIDE INTERFACE

We now turn to the management settings of our ASA Firewall to enable and configure HTTP management. This will allow access to the
FirewallsmanagementviathepopularASDMmanagementapplication:
ASA5505(config)#http10.71.0.0255.255.255.0inside
WARNING:httpserverisnotyetenabledtoallowASDMaccess.
ASA5505(config)#httpserverenable
TheabovecommandsenableHTTPmanagementontheASAFirewallonlyforthenetwork10.71.0.0/24.
ENABLE SSH & TELNET MANAGEMENT FOR INSIDE AND OUTSIDE INTERFACES
EnablingSSHandTelnetaccesstotheCiscoFirewallisprettystraightforward.WhilewealwaysrecommendtheuseofSSH,especially
whenaccessingtheFirewallfrompublicIPs,telnetisalsoanoption,however,wemustkeepinmindthattelnetmanagementmethodsdo
notprovideanysecurityasalldata(includingusername,passwordsandconfigurations)aresentincleartext.
Before enabling SSH, we must generate RSA key pairs for identity certificates. Telnet does not require any such step as it does not
provideanyencryptionorsecurity:
ASA5505(config)#cryptokeygeneratersamodulus1024
INFO:Thenameforthekeyswillbe:
Keypairgenerationprocessbegin.Pleasewait...
ASA5505(config)#ssh10.71.0.0255.255.255.0inside
ASA5505(config)#ssh200.200.90.5255.255.255.255outside
ASA5505(config)#telnet10.71.0.0255.255.255.0inside
NotethattheASAFirewallappliancewillonlyacceptSSHconnectionsfromhost200.200.90.5arrivingonitspublicinterface,whileSSH
andtelnetconnectionsarepermittedfromnetwork10.71.0.0/24ontheinsideinterface.
CREATE, CONFIGURE AND APPLY TCP/UDP OBJECTGROUPS

AnessentialpartofanyfirewallconfigureistodefinetheInternetservicesouruserswillhaveaccessto.Thisisdonebyeithercreatinga
numberoflengthyaccesslistsforeachprotocol/serviceandthenapplyingthemtotheappropriateinterfaces,orutilisingtheASAFirewall
ObjectGroups which are then applied to the interfaces. Using Objectgroups is easy and recommended as they provide a great deal of
flexibilityandeaseofmanagement.
Thelogicissimple:CreateyourObjectGroups,inserttheprotocolsandservicesrequired,andthenreferencetheminthefirewallaccess
lists.Asalaststep,weapplythemtotheinterfacesweneed.
Lets use an example to help visualise the concept. Our needs require us to create two ObjectGroups, one for TCP and one for UDP
services:
ASA5505(config)#objectgroupserviceInternetudpudp
ASA5505(configservice)#descriptionUDPStandardInternetServices
ASA5505(configservice)#portobjecteqdomain
ASA5505(configservice)#portobjecteqntp
ASA5505(configservice)#portobjecteqisakmp
ASA5505(configservice)#portobjecteq4500
!
ASA5505(configservice)#objectgroupserviceInternettcptcp
ASA5505(configservice)#descriptionTCPStandardInternetServices
ASA5505(configservice)#portobjecteqwww
ASA5505(configservice)#portobjecteqhttps
ASA5505(configservice)#portobjecteqsmtp
ASA5505(configservice)#portobjecteqpop3
ASA5505(configservice)#portobjecteqftp
ASA5505(configservice)#portobjecteqftpdata
ASA5505(configservice)#portobjecteqdomain
ASA5505(configservice)#portobjecteqssh
ASA5505(configservice)#portobjecteqtelnet
NowweneedtoreferenceourtwoObjectgroupsusingthefirewallaccesslists.Herewecanalsodefinewhichnetworkswillhaveaccess
totheserviceslistedineachObjectgroup:
ASA5505(config)#accesslistinsideinremark=[AccessListsForOutgoingPacketsfromInsideinterface]=
ASA5505(config)#accesslistinsideinextendedpermitudp10.71.0.0255.255.255.0anyobjectgroupInternetudp
ASA5505(config)#accesslistinsideinextendedpermittcp10.71.0.0255.255.255.0anyobjectgroupInternettcp
Note that the 10.71.0.0/25 network has access to both Objectgroups services, our other networks are restricted to only the services
definedintheTCPObjectgroup.TounderstandhowObjectgroupshelpsimplifyaccesslistmanagement:withoutthem,wewouldrequire
37accesslistscommandsinsteadofjust4!
CONFIGURATION OF ACCESSLISTS FOR ICMP PACKETS TO THE INTERNET

TocompleteouraccesslistconfigurationweconfigureourASAFirewalltoallowICMPechopackets(ping)toanydestination,andtheir
replies(echoreply):
ASA5505(config)#accesslistinsideinextendedpermiticmp10.71.0.0255.255.255.0any
ASA5505(config)#accesslistoutsideinremark=[AccessListsForIncomingPacketsonOUTSIDEinterface]=
ASA5505(config)#accesslistoutsideinextendedpermiticmpanyanyechoreply
APPLING FIREWALL ACCESSLISTS TO INSIDE AND OUTSIDE INTERFACES

The last step in configuring our firewall rules involves applying the two access lists, insidein & outsidein, to the appropriate interfaces.
Oncethisstepiscompletethefirewallrulesareineffectimmediately:
ASA5505(config)#accessgroupinsideinininterfaceinside
ASA5505(config)#accessgroupoutsideinininterfaceoutside
CONFIGURE LOGGING/DEBUGGING OF EVENTS & ERRORS

ThislaststepinourASAFirewallconfigurationguidewillenablelogginganddebuggingsothatwecaneasilytraceeventsanderrors.Itis
highlyrecommendedtoenableloggingbecauseitwillcertainlyhelptroubleshootingtheASAFirewallwhenproblemsoccur.
ASA5505(config)#loggingbuffered7
ASA5505(config)#loggingbuffersize30000
ASA5505(config)#loggingenable
Thecommandsusedaboveenableloginthedebugginglevel(7)andsetsthebuffersizeinRAMto30,000bytes(~30Kbytes).
Issuingtheshowlogcommandwillrevealanumberofimportantlogsincludinganypacketsthatareprocessedordeniedduetoaccess
lists:
ASA5505(config)#showlog
Sysloglogging:enabled
Facility:20
Timestamplogging:disabled
Standbylogging:disabled
Debugtracelogging:disabled
Consolelogging:disabled
Monitorlogging:disabled
Bufferlogging:leveldebugging,39925messageslogged
Traplogging:disabled
Historylogging:disabled
DeviceID:disabled
Maillogging:disabled
ASDMlogging:disabled
n"[0x0,0x0]
%ASA4106023:Denytcpsrcinside:10.71.0.50/54843dstoutside:10.0.0.10/445byaccessgroup"insidein"[0x0,0x0]
%ASA4106023:Denyudpsrcinside:10.71.0.50/137dstoutside:10.0.0.10/137byaccessgroup"insidein"[0x0,0x0]
%ASA6302014:TeardownTCPconnection4718foroutside:173.194.40.49/443toinside:10.71.0.50/54803duration0:02:00bytes
1554462TCPFINs
CONCLUSION

Cisco ASA5500 (5505, 5510, 5520, Etc) Series Firewall Security Appliance Startup Configuration & Basic Concepts

Загружено:

Сведения о документе

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Cisco ASA5500 (5505, 5510, 5520, Etc) Series Firewall Security Appliance Startup Configuration & Basic Concepts

Загружено:

Авторское право:

Доступные форматы

(http://www.firewall.