This action might not be possible to undo. Are you sure you want to continue?
The Cisco ASA 5505 Firewall is the smallest model in the new 5500 Cisco series of hardware appliances. Although this model is suitable for small businesses, branch offices or even home use, its firewall security capabilities are the same as the biggest models (5510, 5520, 5540 etc). The Adaptive Security technology of the ASA firewalls offers solid and reliable firewall protection, advanced application aware security, denial of service attack protection and much more. Moreover, the performance of the ASA 5505 appliance supports 150Mbps firewall throughput and 4000 firewall connections per second, which is more than enough for small networks. In this article I will explain the basic configuration steps needed to setup a Cisco 5505 ASA firewall for connecting a small network to the Internet. We assume that our ISP has assigned us a static public IP address (e.g 126.96.36.199 as an example) and that our internal network range is 192.168.1.0/24. We will use Port Address Translation (PAT) to translate our internal IP addresses to the public address of the outside interface. The difference of the 5505 model from the bigger ASA models is that it has an 8-port 10/100 switch which acts as Layer 2 only. That is, you can not configure the physical ports as Layer 3 ports, rather you have to create interface Vlans and assign the Layer 2 interfaces in each VLAN. By default, interface Ethernet0/0 is assigned to VLAN 2 and it's the outside interface (the one which connects to the Internet), and the other 7 interfaces (Ethernet0/1 to 0/7) are assigned by default to VLAN 1 and are used for connecting to the internal network. Let's see the basic configuration setup of the most important steps that you need to configure.
Step1: Configure the internal interface vlan
-----------------------------------------------------ASA5505(config)# interface Vlan 1 ASA5505(config-if)# nameif inside ASA5505(config-if)# security-level 100 ASA5505(config-if)# ip address 192.168.1.1 255.255.255.0 ASA5505(config-if)# no shut
Step 2: Configure the external interface vlan (connected to Internet)
------------------------------------------------------------------------------------ASA5505(config)# interface Vlan 2 ASA5505(config-if)# nameif outside ASA5505(config-if)# security-level 0 ASA5505(config-if)# ip address 188.8.131.52 255.255.255.0 ASA5505(config-if)# no shut
0.200. and DB-9 Serial on the other end) and a Terminal Emulation software (e. Of course there are much more configuration details that you need to implement in order to enhance the security and functionality of your appliance. authentication etc.0. A Cisco ASA security appliance has four main administrative access modes: Monitor Mode: Displays the monitor> prompt. DMZ zones. Cisco ASA 5500 Firewall Configuration User Interface and Access Modes This article describes the user interface and access modes and commands associated with the operation of Cisco ASA 5500 firewall appliances.0.0.0 0.g HyperTerminal). You access this mode by pressing the "Break" or "ESC" keys immediately after powering up the appliance.0 200.0. A special mode that enables you to update the image over the network or to perform password recovery.200. Step 5: Configure PAT on the outside interface ----------------------------------------------------ASA5505(config)# global (outside) 1 interface ASA5505(config)# nat (inside) 1 0.Step 3: Assign Ethernet 0/0 to Vlan 2 ------------------------------------------------ASA5505(config)# interface Ethernet0/0 ASA5505(config-if)# switchport access vlan 2 ASA5505(config-if)# no shut Step 4: Enable the rest interfaces with no shut -------------------------------------------------ASA5505(config)# interface Ethernet0/1 ASA5505(config-if)# no shut Do the same for Ethernet0/1 to 0/7.0.0 Step 6: Configure default route towards the ISP (assume default gateway is 200. DHCP. and how to use basic Command Line Interface.200. Unprivileged Mode: Displays the > prompt.0. Available when you first access the appliance. you can enter commands to specify the location of a TFTP server and the location of the software image or password recovery binary image file to download.0 0. We assume that you know how to connect to the appliance using a console cable (the blue flat cable with RJ-45 on one end.200. If the appliance 2 .2) --------------------------------------------------------------------------------------ASA5505(config)# route outside 0.0.2 1 The above steps are the absolutely necessary steps you need to configure for making the appliance operational. Static NAT. While in the monitor mode. such as Access Control Lists.
Unprivileged Mode password: <-.pribusin. the first command you need to know is the enable command. so hit Enter again to move on the next access mode (Privileged Mode). Type enable and hit Enter.com This mode provides restricted view of the security appliance. Any unprivileged command also works in this mode.com Bosch 7301 Bosch Industrial Spark Plug Half Price Sale www. You cannot configure anything from this mode.Back to Privileged Mode ciscoasa> <-. Enables you to change the current settings. The initial password is empty.splugs. bi-directional I/O www. Configuration Mode: This mode displays the (config)# prompt. Use exit from each mode to return to the previous mode. Some configuration commands from this mode enter a command-specific mode and the prompt changes accordingly. For example the interface command enters interface configuration mode as shown below: ciscoasa(config)# interface GigabitEthernet0/1 ciscoasa(config-if)# <-. To get started with configuration. Enables you to change all system configuration settings.Configuration Mode ciscoasa(config)# exit ciscoasa# exit <-.Back to Unprivileged Mode The (config)# mode is sometimes called Global Configuration Mode.Configure Interface specific parameters 3 . ciscoasa> enable <-. Still. the prompt is ciscoasa> Ads by Google Wireless Telemetry Easy. ciscoasa> enable <-. From this mode you can see the current configuration by using show running-config.Privileged Mode ciscoasa(config)# <-. the prompt for unprivileged mode is pixfirewall> and if the appliance is the new Cisco ASA 5500 Series.Enter a password here (initially its blank) ciscoasa# <-.is a Cisco PIX 500 series.Privileged Mode Privileged Mode: Displays the # prompt. Affordable Wireless Telemetry License-free. you cannot configure anything yet until you go to Configuration Mode.Enter a password here (initially its blank) ciscoasa# configure terminal <-.Unprivileged Mode password: <-. You access the Configuration Mode using the "configure terminal" command from the Privileged Mode.
IP Spoofing Protection IP spoofing attacks are those that change the actual source IP address of packets to obscure their true origin. However. which dictates that for any traffic that you want to allow through the security appliance. enter the following command: CiscoASA5500(config)# ip verify reverse-path interface "interface_name" For example. the security appliance routing table must include a route back to the source address. If for example our inside interface connects to internal network 192. use the following command: CiscoASA5500(config)# ip verify reverse-path interface inside Basic IPS Protection Although the ASA Firewall supports full IPS functionality with an extra IPS hardware 4 . this means that packets arriving at the inside firewall interface must have a source address in the range 192. Ads by Google To enable IP Spoofing protection.1.1. Normally the firewall only looks at the destination address of a packet in order to forward it accordingly.0/24. the firewall checks also the source address of the packets. Two of these features are IP Spoofing protection and basic Intrusion Prevention (IPS) support.g inside) must have a valid source IP address that matches the correct source interface according to the firewall routing table.Configure IP Spoofing and IPS Protection with a Cisco ASA 5500 Firewall The Cisco ASA firewall appliance provides great security protection out-of-the box with its default configuration.168. to increase the security protection even further.0/24 otherwise they will be dropped (if IP Spoofing is configured). there are several configuration enhancements that can be used to implement additional security features. If you enable the IP Spoofing mechanism. to enable IP spoofing on the inside interface.168. This means that packets arriving at a particular interface (e. The IP Spoofing feature uses the Unicast Reverse Path Forwarding (Unicast RPF) mechanism.
it supports also basic IPS protection which is built-in by default without using an extra hardware module. You can define an IP audit policy for each signature group as following: For informational signatures: CiscoASA5500 (config)# ip audit name "name" info [action [alarm] [drop] [reset]] For attack signatures: CiscoASA5500 (config)# ip audit name "name" attack [action [alarm] [drop] [reset]] The keywords [alarm]. After defining an IP audit policy (IPS policy) as shown above. and [reset] drops the packet and closes the connection. The built-in IPS feature supports a basic list of signatures and you can configure the security appliance to perform one or more actions on traffic that matches a signature. we need to attach the policy to a specific interface: CiscoASA5500(config)# ip audit interface "interface_name" " policy_name" Let's see an actual example: CiscoASA5500 (config)# ip audit name dropattacks attack action drop CiscoASA5500 (config)# ip audit interface outside dropattacks 5 . [alarm] generates a system message showing that a packet matched a signature. [drop] drops the packet. The command that implements the basic IPS feature is called "ip audit". There are two signature groups embedded in the firewall software: "Informational" and "Attack" signatures.module (AIP-SSM). [drop]. [reset] define the actions to perform on a malicious packet that matches one of the signatures.
The functionality that I will describe below works for ASA 5505 version 7.168. the secondary DSL connection should be utilized for Internet access. Please note that the above scenario is valid only for Outbound traffic (i.2(1) and above. Let us see the configuration below: ASA5505(config)# interface ethernet 0/0 ASA5505(config-if)# switchport access vlan 2 ASA5505(config-if)# no shutdown ASA5505(config)# interface ethernet 0/1 ASA5505(config-if)# switchport access vlan 1 ASA5505(config-if)# no shutdown ASA5505(config)# interface ethernet 0/2 ASA5505(config-if)# switchport access vlan 3 ASA5505(config-if)# no shutdown ASA5505(config)# interface vlan 1 ASA5505(config-if)# nameif inside ASA5505(config-if)# security-level 100 ASA5505(config-if)# ip address 192.100.Configure a Cisco ASA 5505 with Dual ISP Backup Connection In this article I will explain how to configure a Cisco ASA 5505 firewall to connect to dual ISPs for redundancy purposes. VLAN2 will be assigned to Ethernet 0/0 (primary-isp) and VLAN3 will be assigned to Ethernet 0/2 (backup-isp).255.255.200.255. and a cheaper DSL line connected to a Secondary ISP. Assume that we are assigned a static Public IP address of 100.100.0 ASA5505(config-if)# no shutdown ASA5505(config)# interface vlan 2 ASA5505(config-if)# nameif primary-isp ASA5505(config-if)# security-level 0 ASA5505(config-if)# ip address 100.200.e.1. If the primary link fails. We also have to configure two static default routes pointing to the ISP gateway address.1 from our Backup ISP. from our internal network towards the Internet). and Ethernet 0/2 for connecting to our Backup ISP.255.100.100. The primary ISP default route shall have a metric of 1 and the backup ISP default route shall have a metric bigger than 1 (let's say 2).1 255. Ethernet 0/1 for connecting to our Internal LAN.0 ASA5505(config-if)# backup interface vlan 3 ASA5505(config-if)# no shutdown ASA5505(config)# interface vlan 3 6 . We will use Ethernet 0/0 for connecting to Primary ISP. Suppose that we have a primary high-speed ISP connection. VLAN1 (the default Vlan) will be assigned to Ethernet 0/1 (inside).1 from Primary ISP and another static Public IP address of 200.1 255. We will create three VLANs to support our configuration. Normally all of our traffic should flow through the primary ISP.
100. Interface Ethernet0/0 will be connected on the outside (towards the ISP). 5510.255.100. 5520 etc) and is fairly popular since is intended for small to medium enterprises.2 2 Cisco ASA 5510 Firewall : Basic Configuration Tutorial Continuing our series of articles about Cisco ASA 5500 firewalls.168.000 Maximum firewall connections (instead of 50. and Ethernet0/1 will be connected to the Inside LAN switch.200.200. All outbound communication (from inside to outside) will be translated using Port Address Translation (PAT) on the outside public interface.1 255.0/24.0. the internal LAN network belongs to subnet 192. The firewall will be configured to supply IP addresses dynamically (using DHCP) to the internal hosts.0.0 0. the 5510 comes with two license options: The Base license and the Security Plus license.2 1 ASA5505(config)# route backup-isp 0.10.ASA5505(config-if)# nameif backup-isp ASA5505(config-if)# security-level 1 ASA5505(config-if)# ip address 200.200. Next we will see a simple Internet Access scenario which will help us understand the basic steps needed to setup an ASA 5510.100. I'm offering you here a basic configuration tutorial for the Cisco ASA 5510 security appliance. Assume that we are assigned a static public IP address 100. Failover Redundancy.0.200. which will be needed to allow subsequent access to the appliance. etc.1 from our ISP. This device is the second model in the ASA series (ASA 5505.0 200. The second one (security plus) provides some performance and hardware enhancements over the base license. Let's see a snippet of the required configuration steps for this basic scenario: Step1: Configure a privileged level password (enable password) By default there is no password for accessing the ASA firewall. the security plus license enables two of the five firewall network ports to work as 10/100/1000 instead of only 10/100. 100 Maximum VLANs (instead of 50).0. Like the smallest ASA 5505 model.0 ASA5505(config-if)# no shutdown ASA5505(config)# route primary-isp 0.0.0 0.0.000). such as 130. so the first step before doing anything else is to configure a privileged level password.0.100. Configure this under Configuration Mode: ASA5510(config)# enable password mysecretpassword Step2: Configure the public outside interface ASA5510(config)# interface Ethernet0/0 ASA5510(config-if)# nameif outside ASA5510(config-if)# security-level 0 7 .0 100.0. Also. Also.255.
Access Control Lists to control traffic flow.0 Step 5: Configure Default Route towards the ISP (assume default gateway is 100.0.0 ASA5510(config-if)# no shut Step 4: Configure PAT on the outside interface ASA5510(config)# global (outside) 1 interface ASA5510(config)# nat (inside) 1 0.100. but not allowing outside hosts to access the inside hosts.255.1 255. There are many more configuration features that you need to implement to increase the security of your network.184.108.40.206.100.0 0.100.0.200 inside ASA5510(config)# dhcpd enable inside The above basic configuration is just the beginning for making the appliance operational.252 ASA5510(config-if)# no shut Step3: Configure the trusted internal interface ASA5510(config)# interface Ethernet0/1 ASA5510(config-if)# nameif inside ASA5510(config-if)# security-level 100 ASA5510(config-if)# ip address 192. Here are eight basic commands: **interface** The interface command identifies either the hardware interface or the VLAN interface that will be configured.100. such as Static and Dynamic NAT.0 0. DMZ zones.0. Traffic is permitted to flow from interfaces with higher security levels to interfaces with lower security levels. or DMZ. As you gain knowledge of the appliance.0. VPN etc. Initially. Typical names are outside.220.127.116.11. inside.10 ASA5510(config)# dhcpd address 192.0.2) ASA5510(config)# route outside 0.0. but not the other way.0. Basic functionality is defined as allowing inside hosts to access outside hosts. Additionally.ASA5510(config-if)# ip address 100. **security-level** Security levels are used by the appliance to control traffic flow. **nameif** The nameif command gives the interface a name and assigns a security level.0.1 255.10-192. Access-lists must be used to permit traffic to flow from lower security levels to 8 .0 100.255. management must be allowed from at least one inside host. you will use more and more of the commands.200.168.2 1 Step 6: Configure the firewall to assign internal IP and DNS address to hosts using DHCP ASA5510(config)# dhcpd dns 200. Once in interface configuration mode. Understanding the 8 Base Commands on a Cisco ASA Security Appliance There are literally thousands of commands and sub-commands available to configure a Cisco security appliance.100. however. there are just a few commands required to configure basic functionality on the appliance.100. you can assign physical interfaces to switchports and enable them (turn them on) or you can assign names and security levels to VLAN interfaces.
In the following sample configuration. then the DMZ interface is named and a security level of 50 is assigned to it. With modern versions of security appliance software. Security levels range from 0 to 100. The default security level for an outside interface is 0.D. an IP address is assigned to VLAN 1. The number "1" is the NAT I. it's not necessary. ciscoasa(config-if)#interface vlan3 ciscoasa(config-if)# nameif dmz ciscoasa(config-if)# security-level 50 **ip address** The ip address command assigns an IP address to a VLAN interface either statically or by making it a DHCP client. the interface command is first used to name the inside and outside VLAN interfaces. configuration. and enable them (turn them on) through the use of the "no shutdown" statement. assign them to switchports on the appliance. which will be used by the global 9 . ciscoasa(config-if)# interface vlan2 ciscoasa(config-if)# nameif outside INFO: Security level for "outside" set to 0 by default.1. In the following sample configuration. In this sample.higher security levels. the inside interface. the interface command is used to identify physical interfaces. For an inside interface. ciscoasa(config-if)# interface vlan 1 ciscoasa(config-if)# ip address 192.168.1 **switchport access** The switchport access command on the ASA 5505 security appliance assigns a physical interface to a logical (VLAN) interface. it is not necessary to explicitly configure default subnet masks. ciscoasa(config-if)# interface ethernet 0/0 ciscoasa(config-if)# switchport access vlan 2 ciscoasa(config-if)# no shutdown ciscoasa(config-if)# interface ethernet 0/1 ciscoasa(config-if)# switchport access vlan 1 ciscoasa(config-if)# no shutdown **nat** The nat command enables network address translation on the specified interface for the specified subnet.1. If you are using non-standard masks.168. In the next example.0/24 subnet. NAT is enabled on the inside interface for hosts on the 192. but otherwise. the default security level is 100. ciscoasa(config)# interface vlan1 ciscoasa(config-if)# nameif inside INFO: Security level for "inside" set to 100 by default. you must explicitly configure the mask.
It also identifies the global address which nat'ed hosts will use to connect to the outside world.0. telnet or SSH to allow remote administration. assigns a default route for traffic. in its most basic form.0 **global** The global command works in tandem with the nat command.255.3. In this sample configuration. the interface statement tells the firewall that hosts associated with NAT I.255.) ciscoasa(config)# nat (inside) 1 192.6. but frankly.D. using a sophisticated device such as a Cisco PIX or ASA security appliance to perform such basic firewall functions is overkill. (Note: NAT 0 is used to prevent the specified group of addresses from being translated.0. 1 will use the global address 12.3.1. ciscoasa(config)# global (outside) 1 12.4. It identifies the interface (usually outside) through which traffic from nat'ed hosts (usually inside hosts) must flow. typically to an ISP's router.5 In this additional example of the use of the "global" command.3. 10 .0. and static route and access-list commands to allow internal hosts such as DMZ Web servers or DMZ mail servers to be accessible to Internet hosts.4.0.5 on the outside interface. The two zeroes before the ISP's router address are shorthand for an IP address of 0. the hosts associated with NAT I. the route command is used to configure a default route to the ISP's router at 12.0 and a mask of 0.D.0.command to associate a global address or pool with the inside addresses.6 The above commands create a very basic firewall. 1 will use the DHCP-assigned global address on the outside interface. ciscoasa(config-if)# route outside 0 0 18.104.22.168. In the following sample. Other commands to use include hostname to identify the firewall.4. ciscoasa(config)# global (outside) 1 interface **route** The route command. DHCPD commands to allow the firewall to assign IP addresses to inside hosts. It can also be used in conjunction with access-lists to send specific types of traffic to specific hosts on specific subnets.0 255. The statement outside identifies the interface through which traffic will flow to reach the default route.
This action might not be possible to undo. Are you sure you want to continue?
We've moved you to where you read on your other device.
Get the full title to continue reading from where you left off, or restart the preview.