html
While many consider the Cisco ASA Firewalls complex and difficult to configure devices, Firewall.cx aims
to break that myth and show how easy you can setup an ASA Firewall to deliver basic and advanced
functionality. We’ve done it with other Cisco technologies and devices, and we’ll do it again :)
The table below provides a brief comparison between the different ASA5500 series security appliances:
Feature Cisco ASA Cisco ASA Cisco ASA Cisco ASA Cisco ASA
5505 5510 5520 5540 5550
Users can also download the complete technical datasheet for the Cisco ASA 5500 series firewalls by
visiting our Cisco Product Datasheet & Guides Download section.
Perhaps one of the most important points, especially for an engineer with limited experience, is that
configuring the smaller ASA 5505 Firewall does not really differ from configuring the larger ASA5520
Firewall. The same steps are required to setup pretty much all ASA 5500 series Firewalls – which is Great
News!
The main differences besides the licenses, which enable or disable features, are the physical interfaces of
each ASA model (mainly between the ASA 5505 and the larger 5510/5520) and possibly modules that
might be installed. In any case, we should keep in mind that if we are able to configure a small ASA5505
then configuring the larger models won’t be an issue.
At the time of writing of this article Firewall.cx came across a Cisco ASA5505, so we decided to put it to
good use for this article, however, do note that all commands and configuration philosophy is the same
across all ASA5500 series security appliances.
Note: ASA software version 8.3.0 and above use different NAT configuration commands. This article
provides both old style (up to v8.2.5) and new style (v8.3 onwards) NAT configuration commands.
Additional reading material: Users seeking nothing but the best security information on ASA Firewalls,
written by leading Cisco Security Engineers, should consider the following highly recommended Cisco
Press titles:
Cisco ASA: All-in-One Firewall, IPS, Anti-X, and VPN Adaptive Security Appliance, 2nd Edition
Cisco ASA, PIX, and FWSM Firewall Handbook, 2nd Edition
We’ve created a simple configuration check-list that will help us keep track of the configured services on
our ASA Firewall. Here is the list of items that will be covered in this article:
Note: it is highly advisable to frequently save the ASA configuration to ensure no work is lost in the event
of a power failure or accident restart.
Saving the configuration can be easily done using the write memory command:
This first step is optional as it will erase the firewall’s configuration. If the firewall has been previously
configured or used it is a good idea to start off with the factory defaults. If we are not certain, we prefer to
wipe it clean and start from scratch. Once the configuration is deleted we need to force a reboot, however,
take note that it’s important not to save the system config to ensure the running-config is not copied to the
startup-config otherwise we’ll have to start this process again:
ciscoasa(config)# write erase
Erase configuration in flash memory? [confirm]
[OK]
ciscoasa(config)# reload
System config has been modified. Save? [Y]es/[N]o: N
Proceed with reload? [confirm]
ciscoasa(config)#
***
*** --- START GRACEFUL SHUTDOWN ---
Shutting down isakmp
Shutting down webvpn
Shutting down File system
***
*** --- SHUTDOWN NOW ---
Process shutdown finished
Rebooting.....
The ASA Firewall won’t ask for a username/password when logging in next, however, the default enable
password of ‘cisco’, will be required to gain access to privileged mode:
Ciscoasa> enable
Password: cisco
ciscoasa# configure terminal
ciscoasa(config)#
***************************** NOTICE *****************************
Help to improve the ASA platform by enabling anonymous reporting,
which allows Cisco to securely receive minimal error and health
information from the device. To learn more about this feature,
please visit: http://www.cisco.com/go/smartcall
At this point we need to note that when starting off with the factory default configuration, as soon as we
enter the ‘configure terminal’ command, the system will ask if we would like to enable Cisco’s call-home
reporting feature. We declined the offer and continued with our setup:
The privilege 15 parameter at the end of the command line ensures the system is aware that this is an
account with full privileges and has access to all configuration commands including erasing the
configuration and files on the device’s flash disk, such as the operating system.
CONFIGURE INTERFACE IP ADDRESSES / VLAN IP ADDRESSES & DESCRIPTIONS
Depending on the ASA appliance we have, we can configure physical interfaces (inside/outside) with IP
addresses, usually done with ASA5510 and larger models, or create VLANs (inside/outside) and configure
them with IP addresses, usually with the smaller ASA5505 models.
In many cases network engineers use VLAN interfaces on the larger ASA5500 models, however, this
depends on the licensing capabilities of the device, existing network setup and more.
In the case of the ASA5505 we must use VLAN interfaces, which are configured with their appropriate IP
addresses and then (next step) characterised as inside (private) or outside (public) interfaces:
Alternatively, the Public interface (VLAN2) can be configured to obtain its IP address automatically via
DHCP with the following command:
ASA5505(config)# interface vlan 2
ASA5505(config)# description Public-Interface
ASA5505(config-if)# ip address dhcp setroute
ASA5505(config-if)# no shutdown
The setrouteparameter at the end of the command will ensure the ASA Firewall sets its default route
(gateway) using the default gateway parameter the DHCP server provides.
After configuring VLAN1 & VLAN2 with the appropriate IP addresses, we configured ethernet 0/0 as an
access link for VLAN2 so we can use it as a physical public interface. Out of the 8 total Ethernet interfaces
the ASA5505 has, at least one must be set with the switchport access vlan 2 otherwise there won’t be
any physical public interface on the ASA for our frontend router to connect to. Ethernet ports 0/1 to 0/7 must
also be configured with the no shutdown command in order make them operational. All of these ports are,
by default, access links for VLAN1. Provided are the configuration commands for the first two ethernet
interface as the configuration is identical for all:
Next, we must designate the Inside (private) and Outside (public) interfaces. This step is essential and will
help the ASA Firewall understand which interface is connected to the trusted (private) and untrusted (public)
network:
The ASA Firewall will automatically set the security level to 100 for inside interfaces and 0 to outside
interfaces. Traffic can flow from higher security levels to lower (private to public), but not the other way
around (public to private) unless stated by an access-lists.
To change the security-level of an interface use the security-level xxx command by substituting xxx with
a number from 0 to 100. The higher the number, the higher the security level. DMZ interfaces are usually
configured with a security level of 50.
It is extremely important the necessary caution is taken when selecting and applying the inside/outside
interfaces on any ASA Firewall.
The default route configuration command is necessary for the ASA Firewall to route packets outside the
network via the next hop, usually a router. In case the public interface (VLAN2) is configured using the ip
address dhcp setroute command, configuration of the default gateway is not required.
For networks with multiple internal VLANs, it is necessary to configure static routes to ensure the ASA
Firewall knows how to reach them. Usually these networks can be reached via a Layer3 switch or an
internal router. For our example, we’ll assume we have two networks: 10.75.0.0/24 & 10.76.0.0/24 which
we need to provide Internet access to. These additional networks are contactable via a Layer3 device
with IP address 10.71.0.100:
We should note at this point that NAT configuration has slightly changed with ASA software version 8.3 and
above. We will provide both commands to cover installations with software version up to v8.2.5 and from
v8.3 and above.
The following commands apply to ASA appliances with software version up to 8.2.5:
In the above configuration, the ASA Firewall is instructed to NAT all internal networks using the NAT
Group 1. The number ‘1’ is used to identify the NAT groups for the NAT process between the inside and
outside interfaces.
The global (outside) 1 interface command instructs the ASA Firewall to perform NAT using the IP address
assigned to the outside interface.
Another method of configuring NAT is with the use of access lists. In this case, we define the internal IP
addresses to be NAT’ed with the use of access lists:
NAT with the use of access lists provides greater flexibility and control which IP addresses or networks
will use the NAT service.
With software version 8.3 and newer, things have changed dramatically and there are no more access lists
in NAT configuration lines.
The new NAT format now utilizes "object network", "object service" and "object-group network" to define
the parameters of the NAT configuration.
The following commands (software version 8.3 and above) will provide NAT services to our internal
networks so they can access the Internet:
The existence of a DHCP server is necessary in most cases as it helps manage the assignment of IP
address to our internal hosts. The ASA Firewall can be configured to provide DHCP services to our internal
network, a very handy and welcome feature.
Again, there are some limitations with the DHCP service configuration which vary with the ASA model used.
In our ASA5505, the maximum assigned IP addreses for the DHCP pool was just 128!
Note that the DHCP service can run on all ASA interfaces so it is necessary to specify which interface the
DHCP configuration parameters are for:
Once configured, the DHCP service will begin working and assigning IP addresses to the clients.
The Gateway IP address parameter is automatically provided to client and is not required to be configured
on the ASA Firewall appliance.
We can verify the DHCP service is working using the show dhcpd statistics command:
Message Received
BOOTREQUEST 0
DHCPDISCOVER 1
DHCPREQUEST 1
DHCPDECLINE 0
DHCPRELEASE 0
DHCPINFORM 1
If required, we can clear the DHCP bindings (assigned IP addresses) using the clear dhcpd
binding command.
Configuring AAA authentication is always a good idea as it instructs the ASA Firewall to use the local user
database for the various services it's running. For example, we can tell the ASA Firewall to use a radius
server for VPN user authentication, but use its local database for telnet, ssh or HTTP (ASDM) management
access to the Firewall appliance.
As mentioned, our example instructs the ASA Firewall to use its local database:
We now turn to the management settings of our ASA Firewall to enable and configure HTTP management.
This will allow access to the Firewall’s management via the popular ASDM management application:
The above commands enable HTTP management on the ASA Firewall only for the network 10.71.0.0/24.
ENABLE SSH & TELNET MANAGEMENT FOR INSIDE AND OUTSIDE INTERFACES
Enabling SSH and Telnet access to the Cisco Firewall is pretty straightforward. While we always
recommend the use of SSH, especially when accessing the Firewall from public IPs, telnet is also an option,
however, we must keep in mind that telnet management methods do not provide any security as all data
(including username, passwords and configurations) are sent in clear text.
Before enabling SSH, we must generate RSA key pairs for identity certificates. Telnet does not require any
such step as it does not provide any encryption or security:
Note that the ASA Firewall appliance will only accept SSH connections from host 200.200.90.5 arriving on
its public interface, while SSH and telnet connections are permitted from network 10.71.0.0/24 on the
inside interface.
An essential part of any firewall configure is to define the Internet services our users will have access to.
This is done by either creating a number of lengthy access lists for each protocol/service and then applying
them to the appropriate interfaces, or utilising the ASA Firewall Object-Groups which are then applied to
the interfaces. Using Object-groups is easy and recommended as they provide a great deal of flexibility and
ease of management.
The logic is simple: Create your Object-Groups, insert the protocols and services required, and then
reference them in the firewall access -lists. As a last step, we apply them to the interfaces we need.
Let’s use an example to help visualise the concept. Our needs require us to create two Object-Groups, one
for TCP and one for UDP services:
Now we need to reference our two Object-groups using the firewall access lists. Here we can also define
which networks will have access to the services listed in each Object-group:
ASA5505(config)# access-list inside-in remark -=[Access Lists For Outgoing Packets from Inside
interface]=-
ASA5505(config)# access-list inside-in extended permit udp 10.71.0.0 255.255.255.0 any object-
group Internet-udp
ASA5505(config)# access-list inside-in extended permit tcp 10.71.0.0 255.255.255.0 any object-group
Internet-tcp
ASA5505(config)# access-list inside-in extended permit tcp 10.75.0.0 255.255.255.0 any object-group
Internet-tcp
ASA5505(config)# access-list inside-in extended permit tcp 10.76.0.0 255.255.255.0 any object-group
Internet-tcp
Note that the 10.71.0.0/25 network has access to both Object-groups services, our other networks are
restricted to only the services defined in the TCP Object-group. To understand how Object-groups help
simplify access list management: without them, we would require 37 access lists commands instead of just
4!
To complete our access list configuration we configure our ASA Firewall to allow ICMP echo packets (ping)
to any destination, and their replies (echo-reply):
The last step in configuring our firewall rules involves applying the two access lists, inside-in & outside-in,
to the appropriate interfaces. Once this step is complete the firewall rules are in effect immediately:
This last step in our ASA Firewall configuration guide will enable logging and debugging so that we can
easily trace events and errors. It is highly recommended to enable logging because it will certainly help
troubleshooting the ASA Firewall when problems occur.
The commands used above enable log in the debugging level (7) and sets the buffer size in RAM
to 30,000 bytes (~30Kbytes).
Issuing the show log command will reveal a number of important logs including any packets that are
processed or denied due to access-lists:
CONCLUSION
This article serves as an introduction configuration guide for the ASA5500 series Firewall appliances. We
covered all necessary commands required to get any ASA5500 Firewall working and servicing network
clients, while also explaining in detail all commands used during the configuration process.