Basic Firewall Setup - ASA5500
This article covers on the basic
setup of Cisco ASA 5500 series firewall. This configurations is more than
enough to provide secure and restricted access to the internet. It also covers
on secure access and management of ASA Firewall.
Here you type the command “enable” to get in enabled mode.
You will get a password prompt. Simply hit enter here because there is no enable password configured.
The 1st thing you want to do is to erase the default configurations Cisco made for you. There is a lot of default configurations are made for you that can cause network issues if the device is connected to a DHCP enabled network. To erase, use below commands and then reload the device
You will be prompted to confirm that you want to erase the configuration. Simply hit enter here.
Now that you erased your startup configuration you will need to reload the ASA to get a clean configuration. You will use the “reload” command for this.
Now when your router is restarted you will get this question:
Answer with “no” since you want to configure the ASA yourself.
Now enter enabled mode and issue the command below to see that the default Cisco configuration has been erased
Start the configuration.
The 1st thing you want to do is get into configuration mode. You can do this by issuing the command “configure terminal”
Now we will give our ASA another hostname.
Now we will set a username and password so you can actually manage the ASA from your desk with SSH/Telnet/ASDM.
Privilege 15 is the highest of the privileges and gives you full control over the device.
Inside (LAN) Configuration
All the ASA devices work with security levels that you apply to VLANs /interfaces. With security levels you can always go from high (100) to low (0) but never the other way around unless configured otherwise. This means that no one from the outside can start a session to the inside.
note: the value of the security level can be altered at any one interface using below command
For the outside interface, ASA sets the security level to 0.
You also need to make a static route if your provider supplied you with a static IP address. This is called the default gateway.
Where ASA is to get its IP setting via a DHCP server from the provider, configuration is much easier with no default route needed to be configured.
Attach VLAN to physical interface
You need to make at least one other port operational for your inside network by typing the command “no shutdown”.
1st you make a global interface to where all the addresses from the inside need to be translated to.
The number 10 in that line of configuration is a identifier. This way you can tell the NAT on the inside to wich outside IP address they should translate to.
The interface part means that you use your interface IP address to translate to. In this case the outside interface.
2nd we need to make a NAT rule for the inside network.
As you can see I also used the number 10 in this rule. This links the inside network to the outside global. The subnet states that the network 192.168.1.0/24 is allowed to be translated to the outside IP address.
Above is for an instance where to set of ip addresses on LAN need to be NATed.
Congratulations! You now should have an internet connection!
But now you want to manage the ASA without having to walk to the server room all the time.
The ASA supports remote administration through SSH and Telnet. The ASA also has a good graphical interface called the ASDM (Advanced Security Device Manager).
I will show you how to configure the ASA so you can connect with the ASDM (graphical) and with SSH (CLI).
First we start with SSH.
Now we want to use the username we made earlier to connect to the ASA with SSH.
The LOCAL means that the ASA uses the local username database to authenticate users.
When this is done you need to tell the ASA wich IP address are allowed to connect to the ASA. We will only allow users on the inside to access the ASA by SSH.
Save the configurations
Security Levels
To configure your new ASA 5505, plug in your console and you will see
the following:
Type help or '?' for a list
of available commands.
ciscoasa>
ciscoasa>
Here you type the command “enable” to get in enabled mode.
Type help or '?' for a list
of available commands.
ciscoasa> enable
Password:
ciscoasa#
ciscoasa> enable
Password:
ciscoasa#
You will get a password prompt. Simply hit enter here because there is no enable password configured.
The 1st thing you want to do is to erase the default configurations Cisco made for you. There is a lot of default configurations are made for you that can cause network issues if the device is connected to a DHCP enabled network. To erase, use below commands and then reload the device
.
ciscoasa# write erase
Erase configuration in flash memory? [confirm]
[OK]
ciscoasa#
Erase configuration in flash memory? [confirm]
[OK]
ciscoasa#
ciscoasa# reload
Proceed with reload? [confirm]
ciscoasa#
Proceed with reload? [confirm]
ciscoasa#
You will be prompted to confirm that you want to erase the configuration. Simply hit enter here.
Now that you erased your startup configuration you will need to reload the ASA to get a clean configuration. You will use the “reload” command for this.
Now when your router is restarted you will get this question:
Pre-configure Firewall now
through interactive prompts [yes]?
Answer with “no” since you want to configure the ASA yourself.
Now enter enabled mode and issue the command below to see that the default Cisco configuration has been erased
ciscoasa# show running-config
Start the configuration.
The 1st thing you want to do is get into configuration mode. You can do this by issuing the command “configure terminal”
ciscoasa# configure terminal
ciscoasa(config)#
ciscoasa(config)#
Now we will give our ASA another hostname.
ciscoasa(config)# hostname
MyASA
MyASA(config)#
MyASA(config)#
Now we will set a username and password so you can actually manage the ASA from your desk with SSH/Telnet/ASDM.
MyASA(config)# username
example password example privilege 15
MyASA(config)#
MyASA(config)#
Privilege 15 is the highest of the privileges and gives you full control over the device.
Inside (LAN) Configuration
Now that this is done we will configure the inside (LAN) address of the
ASA.
With the ASA 5505 you work with VLANs instead of assigning IP addresses to actual interfaces. We will use VLAN 1 as our inside VLAN.
With the ASA 5505 you work with VLANs instead of assigning IP addresses to actual interfaces. We will use VLAN 1 as our inside VLAN.
MyASA(config)# interface vlan
1
MyASA(config-if)# ip address 192.168.1.1 255.255.255.0
MyASA(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
MyASA(config-if)# ip address 192.168.1.1 255.255.255.0
MyASA(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
All the ASA devices work with security levels that you apply to VLANs /interfaces. With security levels you can always go from high (100) to low (0) but never the other way around unless configured otherwise. This means that no one from the outside can start a session to the inside.
note: the value of the security level can be altered at any one interface using below command
security-level
<value>
the
value of the security-level configured for DMZ ports is usually set to a value of 50
i.e security-level 50
Outside (WAN) configuration
I will start with a static IP address first.
I will start with a static IP address first.
MyASA(config)# interface vlan
2
MyASA(config-if)# ip address 212.115.192.193 255.255.255.248
MyASA(config-if)# nameif outside
INFO: Security level for outside set to 0 by default.
MyASA(config-if)# exit
MyASA(config-if)# ip address 212.115.192.193 255.255.255.248
MyASA(config-if)# nameif outside
INFO: Security level for outside set to 0 by default.
MyASA(config-if)# exit
For the outside interface, ASA sets the security level to 0.
You also need to make a static route if your provider supplied you with a static IP address. This is called the default gateway.
MyASA(config)# route outside
0.0.0.0 0.0.0.0 212.115.192.192
Where ASA is to get its IP setting via a DHCP server from the provider, configuration is much easier with no default route needed to be configured.
MyASA(config)# interface vlan
2
MyASA(config-if)# ip address dhcp setroute
MyASA(config-if)# nameif outside
MyASA(config-if)# ip address dhcp setroute
MyASA(config-if)# nameif outside
Attach VLAN to physical interface
The outside VLAN, need to be attached to one of the interfaces of the
ASA.
By default all the interfaces are attached to VLAN 1 and by default all the interfaces are in the “shutdown” state.
By default all the interfaces are attached to VLAN 1 and by default all the interfaces are in the “shutdown” state.
For this setup, I will attach the interface “Ethernet 0” to the outside
VLAN (VLAN 2) and make the port operational.
MyASA(config)# interface
ethernet0/0
MyASA(config-if)# switchport access vlan 2
MyASA(config-if)# no shutdown
MyASA(config-if)# switchport access vlan 2
MyASA(config-if)# no shutdown
Now this interface is attached to VLAN 2 and operational.
You need to make at least one other port operational for your inside network by typing the command “no shutdown”.
MyASA(config)# interface
ethernet0/1
MyASA(config-if)# no shutdown
MyASA(config-if)# no shutdown
By default all the interfaces are attached to VLAN 1 so you don’t need
to assign a VLAN to the interface.
Configure NAT
Configure NAT
To make internet work from your inside network we have to configure NAT.
1st you make a global interface to where all the addresses from the inside need to be translated to.
MyASA(config)# global
(outside) 10 interface
INFO: outside interface address added to PAT pool
INFO: outside interface address added to PAT pool
The number 10 in that line of configuration is a identifier. This way you can tell the NAT on the inside to wich outside IP address they should translate to.
The interface part means that you use your interface IP address to translate to. In this case the outside interface.
2nd we need to make a NAT rule for the inside network.
MyASA(config)# nat (inside)
10 192.168.1.0 255.255.255.0
MyASA(config)#
MyASA(config)#
As you can see I also used the number 10 in this rule. This links the inside network to the outside global. The subnet states that the network 192.168.1.0/24 is allowed to be translated to the outside IP address.
NOTE1:
NAT can also be configured with the use of access lists. The access list
defines the internal IPs that need to be NATed. The use of access lists gives
greater flexibility and control on the IP addresses that need to be NATed.
MYASA(config)# access-list
NAT-ACLs extended permit ip 192.168.1.0 255.255.255.0 any
MYASA(config)# access-list
NAT-ACLs extended permit ip 192.168.2.0 255.255.255.0 any
MYASA(config)# global
(outside) 1 interface
INFO:
outside interface address added to PAT pool
MYASA(config)# nat
(inside) 1 access-list NAT-ACLs
Above is for an instance where to set of ip addresses on LAN need to be NATed.
NOTE2:
With newer
software versions on ASA, the commands to configure NAT have become much
simpler.
MYASA(config)# object network network1
MYASA(config-network-object)#
subnet 192.168.1.0 255.255.255.0
MYASA(config-network-object)#
nat (inside,outside) dynamic interface
MYASA(config)# object
network network2
MYASA(config-network-object)#
subnet 192.168.2.0 255.255.255.0
MYASA(config-network-object)#
nat (inside,outside) dynamic interface
Above is
for an instance where to set of ip addresses on LAN need to be NATed
Congratulations! You now should have an internet connection!
Configuring the ASA DHCP server
The ASA Firewall can be configured to provide
DHCP services to our internal network. There are some limitations with the DHCP
service configuration which vary with the ASA model used. In our MYASA, the
maximum assigned IP addresses for the DHCP pool is just 128 addresses
Note that the DHCP service can run on all ASA
interfaces so it is necessary to specify which interface the DHCP configuration
parameters are for:
MyASA(config)# dhcpd address 192.168.1.100-192.168.1.250 inside
Warning,
DHCP pool range is limited to 128 addresses, set address range as:
10.71.0.50-10.71.0.177
MYASA(config)# dhcpd
address 192.168.1.100-192.168.1.200 inside
MYASA(config)# dhcpd
dns 8.8.8.8 interface inside
But now you want to manage the ASA without having to walk to the server room all the time.
The ASA supports remote administration through SSH and Telnet. The ASA also has a good graphical interface called the ASDM (Advanced Security Device Manager).
I will show you how to configure the ASA so you can connect with the ASDM (graphical) and with SSH (CLI).
First we start with SSH.
Enable SSH
To enable SSH you will need to generate a key wich will encrypt the
traffic between the user and the ASA.
MyASA(config)# crypto key
generate rsa modulus 1024
INFO: The name for the keys will be: <Default-RSA-Key>
Keypair generation process begin. Please wait...
MyASA(config)#
INFO: The name for the keys will be: <Default-RSA-Key>
Keypair generation process begin. Please wait...
MyASA(config)#
Now we want to use the username we made earlier to connect to the ASA with SSH.
MyASA(config)# aaa
authentication ssh console LOCAL
The LOCAL means that the ASA uses the local username database to authenticate users.
When this is done you need to tell the ASA wich IP address are allowed to connect to the ASA. We will only allow users on the inside to access the ASA by SSH.
MyASA(config)# ssh
192.168.1.0 255.255.255.0 inside
MyASA(config)# ssh 200.200.90.5 255.255.255.255
outside
MyASA5505(config)# telnet
192.168.1.0 255.255.255.0 inside
Note: the
ASA is now accessible on telnet and SSH from any of the LAN IP and only
accessible from the internet only from 200.200.90.9.
Enable
ASDM
Next, we enable the ASDM graphic interface.
Next, we enable the ASDM graphic interface.
MyASA(config)# http server
enable
This command enables the ASDM on the ASA.
We want to use the username we made earlier and tell which networks are allowed to connect to the ASA with the ASDM.
We want to use the username we made earlier and tell which networks are allowed to connect to the ASA with the ASDM.
MyASA(config)# aaa
authentication http console LOCAL
MyASA(config)# http 192.168.1.0 255.255.255.0 inside
MyASA(config)# http 192.168.1.0 255.255.255.0 inside
Save the configurations
You can do this by saving the configuration with the following command.
MyASA(config)# write memory
Building configuration...
Cryptochecksum: e5fa3ae9 add2aae4 c0be8847 79cec1ba
2502 bytes copied in 1.190 secs (2502 bytes/sec)
[OK]
MyASA(config)#
Building configuration...
Cryptochecksum: e5fa3ae9 add2aae4 c0be8847 79cec1ba
2502 bytes copied in 1.190 secs (2502 bytes/sec)
[OK]
MyASA(config)#
Security Levels
level 0 - represent the untrusted zone
level 100 - Represent the most trusted zone
- You can assign an interface any level value (0-100). While assigning this levels always note of the default treatment of traffic by ASA firewall based on security-levels; session can only be established from higher security to lower security-level and not the other way round. also note interface with same security-level, by default, communication is not allowed.
How to allow inter lever communication:
1. Using access-list
Configure an extended access-list
# access-list branch-hq extended permit ip host 192.168.0.20 192.168.5.0 255.255.255.0
Apply access-list inbound to the interface with low security-level
# access-group branch-hq in branches
--- where branches is the nameif assigned to the interface.
2. Inter-interface:
Using same security level and permitting inter level communication using command
# same-security-traffic permit inter-interface
This
allows communication between interfaces with same security-level. Note
interfaces with same security-levels would not pass traffic when it is
allowed via an access-list and without inter-interface configuration.
level 100 - Represent the most trusted zone
- You can assign an interface any level value (0-100). While assigning this levels always note of the default treatment of traffic by ASA firewall based on security-levels; session can only be established from higher security to lower security-level and not the other way round. also note interface with same security-level, by default, communication is not allowed.
How to allow inter lever communication:
1. Using access-list
Configure an extended access-list
# access-list branch-hq extended permit ip host 192.168.0.20 192.168.5.0 255.255.255.0
Apply access-list inbound to the interface with low security-level
# access-group branch-hq in branches
--- where branches is the nameif assigned to the interface.
2. Inter-interface:
Using same security level and permitting inter level communication using command
# same-security-traffic permit inter-interface
END.
Comments
Post a Comment