Sie sind auf Seite 1von 8

(http://www.firewall.

cx)

FIREWALL.CXTEAM

NEWS

ALTERNATIVEMENU

RECOMMENDEDSITES

CONTACTUSFEEDBACK

(/MEETTHETEAM.HTML)

(/NEWS.HTML)

(/SITEMAP.HTML)

(/RECOMMENDEDSITES.HTML)

(/CONTACTUS.HTML)

HOME

(/)

NETWORKING

(/networking-topics.html)

(/microsoft-knowledgebase.html)

MICROSOFT
DOWNLOADS

(/downloads.html)

FORUM

LINUX

CISCO

(/cisco-technical-knowledgebase.html)

(/linux-knowledgebase-tutorials.html)

MORE CONTENT

(/general-topics-reviews.html)

(/forums.html)

WEDNESDAY,16DECEMBER2015

search...

HOT DOWNLOADS
(http://clixtrac.com/goto/?99229)

(http://clixtrac.com/goto/?210268)

(http://clixtrac.com/goto/?212109)

NETWORK SECURITY
FREE HYPERV &
AUTOMATED ONLINE
SCANNER
VMWARE BACKUP
WEB SECURITY SCAN
(HTTP://CLIXTRAC.COM/GOTO/? (HTTP://CLIXTRAC.COM/GOTO/? (HTTP://CLIXTRAC.COM/GOTO/?
NETWORK SECURITY
SCANNER

(/component/banners/click/3.html)

CISCO ASA5500 (5505, 5510, 5520, ETC) SERIES FIREWALL


SECURITY APPLIANCE STARTUP CONFIGURATION & BASIC
CONCEPTS
WRITTENBYADMINISTRATOR.POSTEDINCISCOFIREWALLSASA&PIXFIREWALLCONFIGURATION(/CISCOTECHNICALKNOWLEDGEBASE/CISCO
FIREWALLS.HTML)

(http://clixtrac.com/goto/?
99232)

FREE HYPERV &


VMWARE BACKUP

Rating4.81(16Votes)
Share

Tweet

Like

Share 189peoplelikethis.SignUpto
seewhatyourfriendslike.

INTRODUCING THE CISCO ASA 5500 SERIES FIREWALL APPLIANCE


TheCiscoASA5500seriessecurityapplianceshavebeenaroundforquitesometime
and are amongst the most popular hardware firewalls available in the market. Today
Firewall.cx(http://www.firewall.cx)takesalookathowtoeasilysetupaCiscoASA5500
series firewall to perform basic functions, more than enough to provide secure &

(http://clixtrac.com/goto/?
210273)

restricted access to the Internet, securely access and manage the ASA Firewall and
more.
While many consider the Cisco ASA Firewalls complex and difficult to configure
devices, Firewall.cx aims to break that myth and show how easy you can setup an ASA Firewall to deliver basic and advanced
functionality.WevedoneitwithotherCiscotechnologiesanddevices,andwelldoitagain:)

RECOMMENDED
DOWNLOADS
WebSecurity
(http://clixtrac.com/goto/?
99233)

ThetablebelowprovidesabriefcomparisonbetweenthedifferentASA5500seriessecurityappliances:

FreeHyperV&VMware
Backup

Feature

CiscoASA5505 CiscoASA
5510

CiscoASA

CiscoASA

CiscoASA

(http://clixtrac.com/goto/?

5520

5540

5550

210270)
ServerAntiSpam

Users/Nodes

10,50,or
unlimited

Unlimited

Unlimited

Unlimited

Unlimited

(http://clixtrac.com/goto/?
99234)
NetworkScanner

FirewallThroughput Upto150Mbps Upto300


Mbps

Upto450

Upto650

Upto1.2

(http://clixtrac.com/goto/?

Mbps

Mbps

Gbps

99235)
IDSSecurityManager

MaximumFirewall

Upto150

andIPSThroughput MbpswithAIP
SSC5

Upto150

Upto225

Upto500

Mbpswith

MbpswithAIP Mbpswith

AIPSSM10 SSM10

AIPSSM20

Upto300

Upto375

Upto650

Mbpswith

MbpswithAIP Mbpswith

AIPSSM20 SSM20

Notavailable

(http://clixtrac.com/goto/?
99236)
WebProxyMonitor
(http://clixtrac.com/goto/?
99237)
NetworkAnalyzerSniffer
(http://clixtrac.com/goto/?

AIPSSM40

195370)
Upto450

CiscoVPNClient

MbpswithAIP

(/downloads/ciscotoolsa

SSM40

applications.html)
NetworkFaxServer

3DES/AESVPN

Upto100Mbps Upto170

***

Throughput

Mbps

Upto225

Upto325

Upto425

Mbps

Mbps

Mbps

(http://clixtrac.com/goto/?
100607)
ForensicSecurityAnalysis
(http://clixtrac.com/goto/?

IPsecVPNPeers

1025

250

750

5000

5000

195375)
WebVulnerabilityScanner

Premium

2/25

2/250

2/750

2/2500

2/5000

AnyConnectVPN

(http://clixtrac.com/goto/?
191594)

Peers

(Included/Maximum)

Concurrent

WEBSITE SCANNER
10,00025,000*

New

50,000

280,000

400,000

650,000

130,000*

Connections

4000

9000

12,000

25,000

33,000

IntegratedNetwork

8portFast

5Fast

4Gigabit

4Gigabit

8Gigabit

Ports

Ethernetswitch Ethernet

Ethernet,

Ethernet,

Ethernet,

(including2PoE ports2

1Fast

1Fast

4SFPFiber,

ports)

Ethernet

Ethernet

1Fast

Connections/Second

Gigabit
Ethernet+3

Ethernet

(http://clixtrac.com/goto/?
211418)

NETWORK ANALYZER

Fast
Ethernet
ports *

VirtualInterfaces

3(notrunking

(VLANs)

support)/20(with

50/100*

150

200

400

trunking
support)*

(http://clixtrac.com/goto/?
195373)

Userscanalsodownloadthecompletetechnicaldatasheet(/downloads/ciscoproductdatasheetsaguides/ciscoasa5500series
adaptivesecurityappliances.html)fortheCiscoASA5500seriesfirewallsbyvisitingourCiscoProductDatasheet&GuidesDownload
section(/downloads/ciscoproductdatasheetsaguides.html).

(http://www.linkedin.com/groups?
(https://www.facebook.com/fire
(http://twitter.com/firewall
(http://feeds.feedbu
CONNECT:home=&gid=1037867)

Perhaps one of the most important points, especially for an engineer with limited experience, is that configuring the smaller ASA 5505
Firewall does not really differ from configuring the larger ASA5520 Firewall. The same steps are required to setup pretty much all ASA
5500seriesFirewallswhichisGreatNews!

FACEBOOK LIKE US!


Firewall
LikePage

POPULAR SECURITY
ARTICLES
ImplicationsofUnsecure
Webservers&Websites
(/generaltopics
The main differences besides the licenses, which enable or disable features, are the physical interfaces of each ASA model (mainly

reviews/security

betweentheASA5505andthelarger5510/5520)andpossiblymodulesthatmightbeinstalled.Inanycase,weshouldkeepinmindthatif

articles/1072implications

weareabletoconfigureasmallASA5505thenconfiguringthelargermodelswontbeanissue.

ofunsecurewebservers
andwebsitesfor

At the time of writing of this article Firewall.cx came across a Cisco ASA5505, so we decided to put it to good use for this article,

oganizations

however,donotethatallcommandsandconfigurationphilosophyisthesameacrossallASA5500seriessecurityappliances.

companies.html)
TheImportanceof

Note:ASAsoftwareversion8.3.0andaboveusedifferentNATconfigurationcommands.Thisarticleprovidesbotholdstyle(up

AutomatingWebSecurity

tov8.2.5)andnewstyle(v8.3onwards)NATconfigurationcommands.

PenetrationTesting
(/generaltopics

reviews/security
articles/1074automation
webapplicationsecurity

Additionalreadingmaterial:UsersseekingnothingbutthebestsecurityinformationonASAFirewalls,writtenbyleadingCiscoSecurity

testing.html)

Engineers,shouldconsiderthefollowinghighlyrecommendedCiscoPresstitles:

ChoosingaWebApplication
SecurityScanner(/general
topicsreviews/security

CiscoASA:AllinOneFirewall,IPS,AntiX,andVPNAdaptiveSecurityAppliance,2ndEdition
(http://www.ciscopress.com/store/ciscoasaallinonefirewallipsantixandvpnadaptive9781587058196)

articles/1083choosingweb

CiscoASA,PIX,andFWSMFirewallHandbook,2ndEdition(http://www.ciscopress.com/store/ciscoasapixandfwsm
firewallhandbook9781587054570)

scanner.html)

applicationsecurity
StatisticsHighlightthe
StateofSecurityofWeb

Applications(/general

ASA5500 SERIES CONFIGURATION CHECKLIST

topicsreviews/security
articles/1073stateof

WevecreatedasimpleconfigurationchecklistthatwillhelpuskeeptrackoftheconfiguredservicesonourASAFirewall.Hereisthelist

securityofweb

ofitemsthatwillbecoveredinthisarticle:

applications.html)
ComparingNetsparker

Eraseexistingconfiguration

Cloud&Desktopbased
SecuritySoftware(/general

ConfigureHostname,Users,Enablepassword&DisableAnonymousReporting
ConfigureinterfaceIPaddressesorVlanIPaddresses(ASA5505)&Descriptions
SetupInside(private)&Outside(public)Interfaces
Configuredefaultroute(defaultGateway)&staticroutes

topicsreviews/cloudbased
solutions/1079cloudbased
vsdesktopbasedsecurity
solutions.html)
HowtoProtectyour
WebsitesandWebServer
fromHackers(/general

ConfigureNetworkAddressTranslation(NAT)forInternalNetworks

topicsreviews/security
articles/1092securitytips

ConfigureASADHCPServer
ConfigureAAAauthenticationforlocaldatabaseuserauthentication

howtoprotectyour
websitesandwebservers
fromhackers.html)

EnableHTTPManagementforinsideinterface
EnableSSH&TelnetManagementforinsideandoutsideinterfaces

CISCO PRESS REVIEW


PARTNER

Create,configureandapplyTCP/UDPObjectGroupstofirewallaccesslists
ConfigurationofaccesslistsforICMPpacketstotheInternet
ApplyFirewallaccessliststoinsideandoutsideinterfaces
Configurelogging/debuggingofeventsanderrors
Note: it is highly advisable to frequently save the ASA configuration to ensure no work is lost in the event of a power failure or accident
restart.

(/sitenews/316firewall
ciscopress.html)

Notifymeofnewarticles

Name

Savingtheconfigurationcanbeeasilydoneusingthewritememorycommand:

Email
ASA5505(config)#writememory
Buildingconfiguration...

Subscribe

Cryptochecksum:c0aee665598d7cd37fbfe1a5a2d40ab1
3270bytescopiedin1.520secs(3270bytes/sec)
[OK]

CISCO MENU
CISCOROUTERS
(/ciscotechnical

ERASING EXISTING CONFIGURATION


Thisfirststepisoptionalasitwillerasethefirewallsconfiguration.Ifthefirewallhasbeenpreviouslyconfiguredoruseditisagoodidea
to start off with the factory defaults. If we are not certain, we prefer to wipe it clean and start from scratch. Once the configuration is
deletedweneedtoforceareboot,however,takenotethatitsimportantnottosavethesystemconfigtoensuretherunningconfigisnot
copiedtothestartupconfigotherwisewellhavetostartthisprocessagain:
ciscoasa(config)#writeerase
Eraseconfigurationinflashmemory?[confirm]

knowledgebase/cisco
routers.html)
CISCOSWITCHES
(/ciscotechnical
knowledgebase/cisco
switches.html)
CISCOVOIP/CCME
CALLMANAGER

[OK]

(/ciscotechnical

ciscoasa(config)#reload

knowledgebase/cisco

Systemconfighasbeenmodified.Save?[Y]es/[N]o:N

voice.html)

Proceedwithreload?[confirm]

CISCOFIREWALLS

ciscoasa(config)#
***
***STARTGRACEFULSHUTDOWN
Shuttingdownisakmp
Shuttingdownwebvpn

(/ciscotechnical
knowledgebase/cisco
firewalls.html)
CISCOWIRELESS

ShuttingdownFilesystem

(/ciscotechnical

***

knowledgebase/cisco

***SHUTDOWNNOW

wireless.html)

Processshutdownfinished

CISCOSERVICES&

Rebooting.....

TECHNOLOGIES
(/ciscotechnical
knowledgebase/cisco
servicestech.html)

CONFIGURE HOSTNAME, USERS, 'ENABLE' PASSWORD & DISABLE ANONYMOUS REPORTING

CONFIGURE HOSTNAME, USERS, 'ENABLE' PASSWORD & DISABLE ANONYMOUS REPORTING

CISCOAUTHORS&CCIE

Next,weneedtoconfiguretheEnablepassword,requiredforprivilegedexecmodeaccess,andthenuseraccountsthatwillhaveaccess

INTERVIEWS

tothefirewall.

(/ciscotechnical
knowledgebase/ccie

The ASA Firewall wont ask for a username/password when logging in next, however, the default enable password of cisco, will be

experts.html)

requiredtogainaccesstoprivilegedmode:
Ciscoasa>enable
Password:cisco
ciscoasa#configureterminal
ciscoasa(config)#
*****************************NOTICE*****************************
HelptoimprovetheASAplatformbyenablinganonymousreporting,
whichallowsCiscotosecurelyreceiveminimalerrorandhealth
informationfromthedevice.Tolearnmoreaboutthisfeature,
pleasevisit:http://www.cisco.com/go/smartcall
Wouldyouliketoenableanonymouserrorreportingtohelpimprove
theproduct?[Y]es,[N]o,[A]sklater:N
Inthefuture,ifyouwouldliketoenablethisfeature,
issuethecommand"callhomereportinganonymous".
Pleaseremembertosaveyourconfiguration.
At this point we need to note that when starting off with the factory default configuration, as soon as we enter the configure
terminal command, the system will ask if we would like to enable Ciscos callhome reporting feature. We declined the offer and
continuedwithoursetup:
ciscoasa(config)#hostnameASA5505
ASA5505(config)#enablepasswordfirewall.cx
ASA5505(config)#usernameadminpasswords1jw$528ds2privilege15
The privilege 15 parameter at the end of the command line ensures the system is aware that this is an account with full privileges and
has access to all configuration commands including erasing the configuration and files on the devices flash disk, such as the operating
system.

POPULAR CISCO
ARTICLES
DMVPNConfiguration(/cisco
technical
knowledgebase/cisco
routers/901ciscorouter
dmvpnconfiguration.html)
CiscoIPSLA(/cisco
technical
knowledgebase/cisco
routers/813ciscorouteripsla
basic.html)
VLANSecurity(/cisco
technical
knowledgebase/cisco
switches/818ciscoswitches
vlansecurity.html)
4507REInstallation(/cisco
technical
knowledgebase/cisco
switches/948ciscoswitches
4507rewsx45sup7le
installation.html)
CallManagerExpressIntro
(/ciscotechnical
knowledgebase/cisco
voice/371ciscoccmepart
1.html)
SecureCMESRTP&TLS

(/ciscotechnical

CONFIGURE INTERFACE IP ADDRESSES / VLAN IP ADDRESSES & DESCRIPTIONS

knowledgebase/cisco

Depending on the ASA appliance we have, we can configure physical interfaces (inside/outside) with IP addresses, usually done with

securevoip.html)

ASA5510andlargermodels,orcreateVLANs(inside/outside)andconfigurethemwithIPaddresses,usuallywiththesmallerASA5505

CiscoPasswordCrack(/cisco

models.

technical

voice/956ciscovoicecme

knowledgebase/cisco
InmanycasesnetworkengineersuseVLANinterfacesonthelargerASA5500models,however,thisdependsonthelicensingcapabilities

routers/358ciscotype7

ofthedevice,existingnetworksetupandmore.

passwordcrack.html)

InthecaseoftheASA5505wemustuseVLANinterfaces,whichareconfiguredwiththeirappropriateIPaddressesandthen(nextstep)
characterisedasinside(private)oroutside(public)interfaces:
ASA5505(config)#interfacevlan1
ASA5505(config)#descriptionPrivateInterface

SitetoSiteVPN(/cisco
technical
knowledgebase/cisco
routers/867ciscoroutersite
tositeipsecvpn.html)

ASA5505(configif)#ipaddress10.71.0.1255.255.255.0
ASA5505(configif)#noshutdown
!

FREE CISCO LAB


PARTNER

ASA5505(config)#interfacevlan2
ASA5505(config)#descriptionPublicInterface
ASA5505(configif)#ipaddress192.168.3.50255.255.255.0
ASA5505(configif)#noshutdown

(http://clixtrac.com/goto/?

99238)

ASA5505(config)#interfaceethernet0/0
ASA5505(configif)#switchportaccessvlan2
ASA5505(configif)#noshutdown

POPULAR LINUX
ARTICLES

LinuxInit&RunLevels(/linux
Alternatively,thePublicinterface(VLAN2)canbeconfiguredtoobtainitsIPaddressautomaticallyviaDHCPwiththefollowing

knowledgebasetutorials/linux

command:

administration/845linux
administrationrunlevels.html)

ASA5505(config)#interfacevlan2

LinuxGroups&Users(/linux

ASA5505(config)#descriptionPublicInterface

knowledgebasetutorials/linux

ASA5505(configif)#ipaddressdhcpsetroute

administration/842linux

ASA5505(configif)#noshutdown

groupsuseraccounts.html)
LinuxPerformanceMonitoring

ThesetrouteparameterattheendofthecommandwillensuretheASAFirewallsetsitsdefaultroute(gateway)usingthedefaultgateway

(/linuxknowledgebase

parametertheDHCPserverprovides.

tutorials/linux

AfterconfiguringVLAN1&VLAN2withtheappropriateIPaddresses,weconfiguredethernet0/0asanaccesslinkforVLAN2sowecan
useitasaphysicalpublicinterface.Outofthe8totalEthernetinterfacestheASA5505has,atleastonemustbesetwiththeswitchport
accessvlan2otherwisetherewontbeanyphysicalpublicinterfaceontheASAforourfrontendroutertoconnectto.Ethernetports0/1 to
0/7mustalsobeconfiguredwiththeno shutdown command in order make them operational. All of these ports are, by default, access
linksforVLAN1.Providedaretheconfigurationcommandsforthefirsttwoethernetinterfaceastheconfigurationisidenticalforall:

administration/837linux
systemresource
monitoring.html)
LinuxVimEditor(/linux
knowledgebasetutorials/linux

ASA5505(config)#interfaceethernet0/1
ASA5505(configif)#noshutdown
ASA5505(configif)#interfaceethernet0/2
ASA5505(configif)#noshutdown

administration/836linux
vi.html)
LinuxSamba(/linux
knowledgebase
tutorials/systemandnetwork
services/848linuxservices
samba.html)
LinuxDHCPServer(/linux

SETUP INSIDE (PRIVATE) & OUTSIDE (PUBLIC) INTERFACES

knowledgebase
tutorials/systemandnetwork

Next, we must designate the Inside (private) and Outside (public) interfaces. This step is essential and will help the ASA Firewall

services/849linuxservices

understandwhichinterfaceisconnectedtothetrusted(private)anduntrusted(public)network:

dhcpserver.html)
LinuxBindDNS(/general

ASA5505(config)#interfacevlan1

topicsreviews/linuxunix

ASA5505(configif)#nameifinside

related/829linuxbind

INFO:Securitylevelfor"inside"setto100bydefault.

introduction.html)

LinuxFile&Folder

ASA5505(config)#interfacevlan2

Permissions(/generaltopics

ASA5505(configif)#nameifoutside

reviews/linuxunix

INFO:Securitylevelfor"outside"setto0bydefault.

related/introductionto
linux/299linuxfilefolder

TheASAFirewallwillautomaticallysetthesecuritylevelto100forinsideinterfacesand0tooutsideinterfaces.Trafficcanflowfrom
highersecuritylevelstolower(privatetopublic),butnottheotherwayaround(publictoprivate)unlessstatedbyanaccesslists.

permissions.html)
LinuxOpenMosix(/general
topicsreviews/linuxunix

To change the securitylevel of an interface use the securitylevel xxx command by substituting xxx with a number from 0 to 100. The

related/openmosixlinux

higherthenumber,thehigherthesecuritylevel.DMZinterfacesareusuallyconfiguredwithasecuritylevelof50.

supercomputer.html)
LinuxNetworkConfig(/linux

Itisextremelyimportantthenecessarycautionistakenwhenselectingandapplyingtheinside/outsideinterfacesonanyASAFirewall.

knowledgebasetutorials/linux
administration/851linux

servicestcpip.html)

CONFIGURE DEFAULT ROUTE (DEFAULT GATEWAY) & STATIC ROUTES


ThedefaultrouteconfigurationcommandisnecessaryfortheASAFirewalltoroutepacketsoutsidethenetworkviathenexthop,usually

BANDWIDTH
MONITORING

a router. In case the public interface (VLAN2) is configured using the ip address dhcp setroute command, configuration of the default
gatewayisnotrequired.
ASA5505(config)#routeoutside0.0.0.00.0.0.0192.168.3.1
Atthispoint,itsagoodideatotrytestingthenexthoprouterandconfirmtheASAFirewallcanreachit:
ASA5505(config)#ping192.168.3.1
Typeescapesequencetoabort.
Sending5,100byteICMPEchosto192.168.3.1,timeoutis2seconds:
!!!!!
Successrateis100percent(5/5),roundtripmin/avg/max=1/1/1ms

(http://clixtrac.com/goto/?
99758)

RSS SUBSCRIPTION
SubscribetoFirewall.cxRSS
FeedbyEmail
(http://feedburner.google.com/fb/a/mailverify?
uri=firewallcx&loc=en_US)

FornetworkswithmultipleinternalVLANs,itisnecessarytoconfigurestaticroutestoensuretheASAFirewallknowshowtoreachthem.
UsuallythesenetworkscanbereachedviaaLayer3switchoraninternalrouter.Forourexample,wellassumewehavetwonetworks:
10.75.0.0/24&10.76.0.0/24whichweneedtoprovideInternetaccessto.TheseadditionalnetworksarecontactableviaaLayer3device
withIPaddress10.71.0.100:
ASA5505(config)#routeoutside10.75.0.00.0.0.010.71.0.100
ASA5505(config)#routeoutside10.76.0.00.0.0.010.71.0.100

CONFIGURE NETWORK ADDRESS TRANSLATION (NAT) FOR INTERNAL NETWORKS


ThisisthelaststeprequiredtosuccessfullyprovideInternetaccesstoourinternalnetworks.NetworkAddressTranslationisessentialto
masqueradeourinternalnetworkusingthesingleIPaddressourPublicinterfacehasbeenconfiguredwith.NetworkAddressTranslation,
alongwithallitsvariations(Static,Dynamicetc),iscoveredingreatdepthinourpopularNetworkAddressTranslation(/networking
topics/networkaddresstranslationnat.html)section.
WeshouldnoteatthispointthatNATconfigurationhasslightlychangedwithASAsoftwareversion8.3andabove.Wewillprovideboth
commandstocoverinstallationswithsoftwareversionuptov8.2.5andfromv8.3andabove.
ThefollowingcommandsapplytoASAapplianceswithsoftwareversionupto8.2.5:
ASA5505(config)#global(outside)1interface
INFO:outsideinterfaceaddressaddedtoPATpool
ASA5505(config)#nat(inside)110.71.0.0255.255.255.0
ASA5505(config)#nat(inside)110.75.0.0255.255.255.0
ASA5505(config)#nat(inside)110.76.0.0255.255.255.0
Intheaboveconfiguration,theASAFirewallisinstructedtoNATallinternalnetworksusingtheNATGroup1.Thenumber1isusedto
identifytheNATgroupsfortheNATprocessbetweentheinsideandoutsideinterfaces.
The global (outside) 1 interface command instructs the ASA Firewall to perform NAT using the IP address assigned to the outside
interface.

AnothermethodofconfiguringNATiswiththeuseofaccesslists.Inthiscase,wedefinetheinternalIPaddressestobeNATedwiththe
useofaccesslists:
ASA5505(config)#accesslistNATACLsextendedpermitip10.71.0.0255.255.255.0any
ASA5505(config)#accesslistNATACLsextendedpermitip10.75.0.0255.255.255.0any
ASA5505(config)#accesslistNATACLsextendedpermitip10.76.0.0255.255.255.0any
ASA5505(config)#global(outside)1interface
INFO:outsideinterfaceaddressaddedtoPATpool
ASA5505(config)#nat(inside)1accesslistNATACLs
NATwiththeuseofaccesslistsprovidesgreaterflexibilityandcontrolwhichIPaddressesornetworkswillusetheNATservice.
Withsoftwareversion8.3andnewer,thingshavechangeddramaticallyandtherearenomoreaccesslistsinNATconfigurationlines.
The new NAT format now utilizes "object network", "object service" and "objectgroup network" to define the parameters of the NAT
configuration.
The following commands (software version 8.3 and above) will provide NAT services to our internal networks so they can access the
Internet:
ASA5505(config)#objectnetworknetwork1
ASA5505(confignetworkobject)#subnet10.71.0.0255.255.255.0
ASA5505(confignetworkobject)#nat(inside,outside)dynamicinterface
!
ASA5505(config)#objectnetworknetwork2
ASA5505(confignetworkobject)#subnet10.75.0.0255.255.255.0
ASA5505(confignetworkobject)#nat(inside,outside)dynamicinterface
!
ASA5505(config)#objectnetworknetwork3
ASA5505(confignetworkobject)#subnet10.76.0.0255.255.255.0
ASA5505(confignetworkobject)#nat(inside,outside)dynamicinterface

CONFIGURING THE ASA DHCP SERVER


TheexistenceofaDHCPserverisnecessaryinmostcasesasithelpsmanagetheassignmentofIPaddresstoourinternalhosts.The
ASAFirewallcanbeconfiguredtoprovideDHCPservicestoourinternalnetwork,averyhandyandwelcomefeature.
Again, there are some limitations with the DHCP service configuration which vary with the ASA model used. In our ASA5505, the
maximumassignedIPaddresesfortheDHCPpoolwasjust128!
NotethattheDHCPservicecanrunonallASAinterfacessoitisnecessarytospecifywhichinterfacetheDHCPconfigurationparameters
arefor:
ASA5505(config)#dhcpdaddress10.71.0.5010.71.0.200inside
Warning,DHCPpoolrangeislimitedto128addresses,setaddressrangeas:10.71.0.5010.71.0.177
ASA5505(config)#dhcpdaddress10.71.0.5010.71.0.128inside
ASA5505(config)#dhcpddns8.8.8.8interfaceinside
Onceconfigured,theDHCPservicewillbeginworkingandassigningIPaddressestotheclients.TheGateway IP address parameter is
automaticallyprovidedtoclientandisnotrequiredtobeconfiguredontheASAFirewallappliance.
WecanverifytheDHCPserviceisworkingusingtheshowdhcpdstatisticscommand:
ASA5505(config)#showdhcpdstatistics
DHCPUDPUnreachableErrors:0
DHCPOtherUDPErrors:0
Addresspools1
Automaticbindings1
Expiredbindings0
Malformedmessages0
MessageReceived
BOOTREQUEST0
DHCPDISCOVER1
DHCPREQUEST1
DHCPDECLINE0
DHCPRELEASE0
DHCPINFORM1
Ifrequired,wecancleartheDHCPbindings(assignedIPaddresses)usingthecleardhcpdbindingcommand.

CONFIGURE AAA AUTHENTICATION FOR LOCAL DATABASE USER AUTHENTICATION


Configuring AAA authentication is always a good idea as it instructs the ASA Firewall to use the local user database for the various
services it's running. For example, we can tell the ASA Firewall to use a radius server for VPN user authentication, but use its local
databasefortelnet,sshorHTTP(ASDM)managementaccesstotheFirewallappliance.

Asmentioned,ourexampleinstructstheASAFirewalltouseitslocaldatabase:
ASA5505(config)#aaaauthenticationtelnetconsoleLOCAL
ASA5505(config)#aaaauthenticationhttpconsoleLOCAL
ASA5505(config)#aaaauthenticationsshconsoleLOCAL

ENABLE HTTP MANAGEMENT FOR INSIDE INTERFACE


We now turn to the management settings of our ASA Firewall to enable and configure HTTP management. This will allow access to the
FirewallsmanagementviathepopularASDMmanagementapplication:
ASA5505(config)#http10.71.0.0255.255.255.0inside
WARNING:httpserverisnotyetenabledtoallowASDMaccess.
ASA5505(config)#httpserverenable
TheabovecommandsenableHTTPmanagementontheASAFirewallonlyforthenetwork10.71.0.0/24.

ENABLE SSH & TELNET MANAGEMENT FOR INSIDE AND OUTSIDE INTERFACES
EnablingSSHandTelnetaccesstotheCiscoFirewallisprettystraightforward.WhilewealwaysrecommendtheuseofSSH,especially
whenaccessingtheFirewallfrompublicIPs,telnetisalsoanoption,however,wemustkeepinmindthattelnetmanagementmethodsdo
notprovideanysecurityasalldata(includingusername,passwordsandconfigurations)aresentincleartext.
Before enabling SSH, we must generate RSA key pairs for identity certificates. Telnet does not require any such step as it does not
provideanyencryptionorsecurity:
ASA5505(config)#cryptokeygeneratersamodulus1024
INFO:Thenameforthekeyswillbe:
Keypairgenerationprocessbegin.Pleasewait...
ASA5505(config)#ssh10.71.0.0255.255.255.0inside
ASA5505(config)#ssh200.200.90.5255.255.255.255outside
ASA5505(config)#telnet10.71.0.0255.255.255.0inside
NotethattheASAFirewallappliancewillonlyacceptSSHconnectionsfromhost200.200.90.5arrivingonitspublicinterface,whileSSH
andtelnetconnectionsarepermittedfromnetwork10.71.0.0/24ontheinsideinterface.

CREATE, CONFIGURE AND APPLY TCP/UDP OBJECTGROUPS


AnessentialpartofanyfirewallconfigureistodefinetheInternetservicesouruserswillhaveaccessto.Thisisdonebyeithercreatinga
numberoflengthyaccesslistsforeachprotocol/serviceandthenapplyingthemtotheappropriateinterfaces,orutilisingtheASAFirewall
ObjectGroups which are then applied to the interfaces. Using Objectgroups is easy and recommended as they provide a great deal of
flexibilityandeaseofmanagement.
Thelogicissimple:CreateyourObjectGroups,inserttheprotocolsandservicesrequired,andthenreferencetheminthefirewallaccess
lists.Asalaststep,weapplythemtotheinterfacesweneed.
Lets use an example to help visualise the concept. Our needs require us to create two ObjectGroups, one for TCP and one for UDP
services:
ASA5505(config)#objectgroupserviceInternetudpudp
ASA5505(configservice)#descriptionUDPStandardInternetServices
ASA5505(configservice)#portobjecteqdomain
ASA5505(configservice)#portobjecteqntp
ASA5505(configservice)#portobjecteqisakmp
ASA5505(configservice)#portobjecteq4500
!
ASA5505(configservice)#objectgroupserviceInternettcptcp
ASA5505(configservice)#descriptionTCPStandardInternetServices
ASA5505(configservice)#portobjecteqwww
ASA5505(configservice)#portobjecteqhttps
ASA5505(configservice)#portobjecteqsmtp
ASA5505(configservice)#portobjecteq465
ASA5505(configservice)#portobjecteqpop3
ASA5505(configservice)#portobjecteq995
ASA5505(configservice)#portobjecteqftp
ASA5505(configservice)#portobjecteqftpdata
ASA5505(configservice)#portobjecteqdomain
ASA5505(configservice)#portobjecteqssh
ASA5505(configservice)#portobjecteqtelnet
NowweneedtoreferenceourtwoObjectgroupsusingthefirewallaccesslists.Herewecanalsodefinewhichnetworkswillhaveaccess
totheserviceslistedineachObjectgroup:

ASA5505(config)#accesslistinsideinremark=[AccessListsForOutgoingPacketsfromInsideinterface]=
ASA5505(config)#accesslistinsideinextendedpermitudp10.71.0.0255.255.255.0anyobjectgroupInternetudp
ASA5505(config)#accesslistinsideinextendedpermittcp10.71.0.0255.255.255.0anyobjectgroupInternettcp
ASA5505(config)#accesslistinsideinextendedpermittcp10.75.0.0255.255.255.0anyobjectgroupInternettcp
ASA5505(config)#accesslistinsideinextendedpermittcp10.76.0.0255.255.255.0anyobjectgroupInternettcp

Note that the 10.71.0.0/25 network has access to both Objectgroups services, our other networks are restricted to only the services
definedintheTCPObjectgroup.TounderstandhowObjectgroupshelpsimplifyaccesslistmanagement:withoutthem,wewouldrequire
37accesslistscommandsinsteadofjust4!

CONFIGURATION OF ACCESSLISTS FOR ICMP PACKETS TO THE INTERNET


TocompleteouraccesslistconfigurationweconfigureourASAFirewalltoallowICMPechopackets(ping)toanydestination,andtheir
replies(echoreply):
ASA5505(config)#accesslistinsideinextendedpermiticmp10.71.0.0255.255.255.0any
ASA5505(config)#accesslistoutsideinremark=[AccessListsForIncomingPacketsonOUTSIDEinterface]=
ASA5505(config)#accesslistoutsideinextendedpermiticmpanyanyechoreply

APPLING FIREWALL ACCESSLISTS TO INSIDE AND OUTSIDE INTERFACES


The last step in configuring our firewall rules involves applying the two access lists, insidein & outsidein, to the appropriate interfaces.
Oncethisstepiscompletethefirewallrulesareineffectimmediately:
ASA5505(config)#accessgroupinsideinininterfaceinside
ASA5505(config)#accessgroupoutsideinininterfaceoutside

CONFIGURE LOGGING/DEBUGGING OF EVENTS & ERRORS


ThislaststepinourASAFirewallconfigurationguidewillenablelogginganddebuggingsothatwecaneasilytraceeventsanderrors.Itis
highlyrecommendedtoenableloggingbecauseitwillcertainlyhelptroubleshootingtheASAFirewallwhenproblemsoccur.
ASA5505(config)#loggingbuffered7
ASA5505(config)#loggingbuffersize30000
ASA5505(config)#loggingenable

Thecommandsusedaboveenableloginthedebugginglevel(7)andsetsthebuffersizeinRAMto30,000bytes(~30Kbytes).
Issuingtheshowlogcommandwillrevealanumberofimportantlogsincludinganypacketsthatareprocessedordeniedduetoaccess
lists:
ASA5505(config)#showlog
Sysloglogging:enabled
Facility:20
Timestamplogging:disabled
Standbylogging:disabled
Debugtracelogging:disabled
Consolelogging:disabled
Monitorlogging:disabled
Bufferlogging:leveldebugging,39925messageslogged
Traplogging:disabled
Historylogging:disabled
DeviceID:disabled
Maillogging:disabled
ASDMlogging:disabled
n"[0x0,0x0]
%ASA4106023:Denytcpsrcinside:10.71.0.50/54843dstoutside:10.0.0.10/445byaccessgroup"insidein"[0x0,0x0]
%ASA4106023:Denytcpsrcinside:10.71.0.50/54845dstoutside:10.0.0.10/445byaccessgroup"insidein"[0x0,0x0]
%ASA4106023:Denytcpsrcinside:10.71.0.50/54844dstoutside:10.0.0.10/445byaccessgroup"insidein"[0x0,0x0]
%ASA4106023:Denytcpsrcinside:10.71.0.50/54850dstoutside:10.0.0.10/139byaccessgroup"insidein"[0x0,0x0]
%ASA4106023:Denytcpsrcinside:10.71.0.50/54843dstoutside:10.0.0.10/445byaccessgroup"insidein"[0x0,0x0]
%ASA4106023:Denytcpsrcinside:10.71.0.50/54845dstoutside:10.0.0.10/445byaccessgroup"insidein"[0x0,0x0]
%ASA4106023:Denytcpsrcinside:10.71.0.50/54844dstoutside:10.0.0.10/445byaccessgroup"insidein"[0x0,0x0]
%ASA4106023:Denytcpsrcinside:10.71.0.50/54850dstoutside:10.0.0.10/139byaccessgroup"insidein"[0x0,0x0]
%ASA4106023:Denyudpsrcinside:10.71.0.50/137dstoutside:10.0.0.10/137byaccessgroup"insidein"[0x0,0x0]
%ASA6302014:TeardownTCPconnection4718foroutside:173.194.40.49/443toinside:10.71.0.50/54803duration0:02:00bytes
1554462TCPFINs

CONCLUSION