Beruflich Dokumente
Kultur Dokumente
cx
http://www.firewall.cx/cisco-technical-knowledgebase/cisco-firewalls/964-cisco-asa5500-startup.html
Cisco ASA
5520
Cisco ASA
5540
Cisco ASA
5550
Users/Nodes
10, 50, or
unlimited
Unlimited
Unlimited
Unlimited
Unlimited
Firewall Throughput
Up to 150 Mbps
Up to 300 Mbps
Up to 450
Mbps
Up to 650
Mbps
Up to 1.2 Gbps
Maximum Firewall
and IPS Throughput
Up to 150 Mbps
with AIP-SSC-5
Up to 225
Mbps with
AIP-SSM10
Up to 500
Mbps with
AIP-SSM20
Not available
Up to 375
Mbps with
AIP-SSM20
Up to 650
Mbps with
AIP-SSM40
Up to 450
Mbps with
AIP-SSM40
3DES/AES VPN
Throughput***
IPsec VPN Peers
Up to 100 Mbps
Up to 170 Mbps
10; 25
250
Up to 225
Mbps
Up to 325
Mbps
750
5000
Up to 425 Mbps
5000
Premium
AnyConnect VPN
Peers*
(Included/Maximum)
2/25
2/250
2/750
2/2500
2/5000
Concurrent
Connections
10,000; 25,000 *
50,000; 130,000 *
280,000
400,000
650,000
New
Connections/Second
4000
9000
12,000
25,000
33,000
Integrated Network
Ports
8-port Fast
Ethernet switch
(including 2 PoE
ports)
4 Gigabit
Ethernet,
1 Fast
Ethernet
4 Gigabit
Ethernet,
1 Fast
Ethernet
8 Gigabit
Ethernet, 4 SFP
Fiber, 1 Fast
Ethernet
Virtual Interfaces
(VLANs)
3 (no trunking
support)/20 (with
trunking
support)*
50/100*
150
200
400
Users can also download the complete technical datasheet for the Cisco ASA 5500 series firewalls by visiting our
Cisco Product Datasheet & Guides Download section.
Perhaps one of the most important points, especially for an engineer with limited experience, is that configuring the
smaller ASA 5505 Firewall does not really differ from configuring the larger ASA5520 Firewall. The same steps are
required to setup pretty much all ASA 5500 series Firewalls which is Great News!
The main differences besides the licenses, which
enable or disable features, are the physical
interfaces of each ASA model (mainly between
the ASA 5505 and the larger 5510/5520) and
possibly modules that might be installed. In any
case, we should keep in mind that if we are able
to configure a small ASA5505 then configuring
the larger models wont be an issue.
At the time of writing of this article Firewall.cx
came across a Cisco ASA5505, so we decided
to put it to good use for this article, however, do
note that all commands and configuration
philosophy is the same across all ASA5500 series security appliances.
Note: ASA software version 8.3.0 and above use different NAT configuration commands. This article provides both
old style (up to v8.2.5) and new style (v8.3 onwards) NAT configuration commands.
Additional reading material: Users seeking nothing but the best security information on ASA Firewalls, written by
leading Cisco Security Engineers, should consider the following highly recommended Cisco Press titles:
Cisco ASA: All-in-One Firewall, IPS, Anti-X, and VPN Adaptive Security Appliance, 2nd Edition
Cisco ASA, PIX, and FWSM Firewall Handbook, 2nd Edition
At this point we need to note that when starting off with the factory default configuration, as soon as we enter the
configure terminal command, the system will ask if we would like to enable Ciscos call-home reporting feature. We
declined the offer and continued with our setup:
ciscoasa(config)# hostname ASA5505
ASA5505(config)# enable password firewall.cx
ASA5505(config)# username admin password s1jw$528ds2 privilege 15
The privilege 15 parameter at the end of the command line ensures the system is aware that this is an account with
full privileges and has access to all configuration commands including erasing the configuration and files on the
devices flash disk, such as the operating system.
Alternatively, the Public interface (VLAN2) can be configured to obtain its IP address automatically via DHCP with
the following command:
ASA5505(config)# interface vlan 2
ASA5505(config)# description Public-Interface
ASA5505(config-if)# ip address dhcp setroute
ASA5505(config-if)# no shutdown
The setrouteparameter at the end of the command will ensure the ASA Firewall sets its default route (gateway) using
the default gateway parameter the DHCP server provides.
After configuring VLAN1 & VLAN2 with the appropriate IP addresses, we configured ethernet 0/0 as an access link
for VLAN2 so we can use it as a physical public interface. Out of the 8 total Ethernet interfaces the ASA5505 has, at
least one must be set with the switchport access vlan 2 otherwise there wont be any physical public interface on
the ASA for our frontend router to connect to. Ethernet ports 0/1 to 0/7 must also be configured with the no shutdown
command in order make them operational. All of these ports are, by default, access links for VLAN1. Provided are the
configuration commands for the first two ethernet interface as the configuration is identical for all:
ASA5505(config)# interface ethernet 0/1
ASA5505(config-if)# no shutdown
ASA5505(config-if)# interface ethernet 0/2
ASA5505(config-if)# no shutdown
Automatic bindings 1
Expired bindings
Malformed messages 0
Message
BOOTREQUEST
Received
0
DHCPDISCOVER
DHCPREQUEST
DHCPDECLINE
DHCPRELEASE
DHCPINFORM
If required, we can clear the DHCP bindings (assigned IP addresses) using the clear dhcpd binding command.
Enable SSH & Telnet Management for Inside and Outside Interfaces
Enabling SSH and Telnet access to the Cisco Firewall is pretty straightforward. While we always recommend the use
of SSH, especially when accessing the Firewall from public IPs, telnet is also an option, however, we must keep in
mind that telnet management methods do not provide any security as all data (including username, passwords and
configurations) are sent in clear text.
Before enabling SSH, we must generate RSA key pairs for identity certificates. Telnet does not require any such step
as it does not provide any encryption or security:
ASA5505(config)# crypto key generate rsa modulus 1024
INFO: The name for the keys will be:
Keypair generation process begin. Please wait...
ASA5505(config)# ssh 10.71.0.0 255.255.255.0 inside
ASA5505(config)# ssh 200.200.90.5 255.255.255.255 outside
ASA5505(config)# telnet 10.71.0.0 255.255.255.0 inside
Note that the ASA Firewall appliance will only accept SSH connections from host 200.200.90.5 arriving on its public
interface, while SSH and telnet connections are permitted from network 10.71.0.0/24 on the inside interface.
Note that the 10.71.0.0/25 network has access to both Object-groups services, our other networks are restricted to
only the services defined in the TCP Object-group. To understand how Object-groups help simplify access list
management: without them, we would require 37 access lists commands instead of just 4!
The commands used above enable log in the debugging level (7) and sets the buffer size in RAM to 30,000 bytes
(~30Kbytes).
Issuing the show log command will reveal a number of important logs including any packets that are processed or
denied due to access-lists:
ASA5505(config)# show log
Syslog logging: enabled
Facility: 20
Timestamp logging: disabled
Standby logging: disabled
Debug-trace logging: disabled
Console logging: disabled
Monitor logging: disabled
Buffer logging: level debugging, 39925 messages logged
Trap logging: disabled
History logging: disabled
Device ID: disabled
Mail logging: disabled
ASDM logging: disabled
n" [0x0, 0x0]
%ASA-4-106023: Deny tcp src inside:10.71.0.50/54843 dst outside:10.0.0.10/445 by access-group "inside-in" [0x0,
0x0]
%ASA-4-106023: Deny tcp src inside:10.71.0.50/54845 dst outside:10.0.0.10/445 by access-group "inside-in" [0x0,
0x0]
%ASA-4-106023: Deny tcp src inside:10.71.0.50/54844 dst outside:10.0.0.10/445 by access-group "inside-in" [0x0,
0x0]
%ASA-4-106023: Deny tcp src inside:10.71.0.50/54850 dst outside:10.0.0.10/139 by access-group "inside-in" [0x0,
0x0]
%ASA-4-106023: Deny tcp src inside:10.71.0.50/54843 dst outside:10.0.0.10/445 by access-group "inside-in" [0x0,
0x0]
%ASA-4-106023: Deny tcp src inside:10.71.0.50/54845 dst outside:10.0.0.10/445 by access-group "inside-in" [0x0,
0x0]
%ASA-4-106023: Deny tcp src inside:10.71.0.50/54844 dst outside:10.0.0.10/445 by access-group "inside-in" [0x0,
0x0]
%ASA-4-106023: Deny tcp src inside:10.71.0.50/54850 dst outside:10.0.0.10/139 by access-group "inside-in" [0x0,
0x0]
%ASA-4-106023: Deny udp src inside:10.71.0.50/137 dst outside:10.0.0.10/137 by access-group "inside-in" [0x0,
0x0]
%ASA-6-302014: Teardown TCP connection 4718 for outside:173.194.40.49/443 to inside:10.71.0.50/54803 duration
0:02:00 bytes 1554462 TCP FINs
Conclusion
This article serves as an introduction configuration guide for the ASA5500 series Firewall appliances. We covered all
necessary commands required to get any ASA5500 Firewall working and servicing network clients, while also
explaining in detail all commands used during the configuration process.
Back to Cisco Firewalls Section