Basic configurations on Cisco ASA Firewall - Part 2

Basic configurations on Cisco ASA Firewall - Part 2

As a part of the understanding on the basics of Cisco ASA firewalls, these are some of the commands used to configure Cisco ASA firewall in real scenario.

Fig 1.1- Cisco ASA in a Network

Configuring DHCP, AAA, and SSH

NDNA-ASA(config)# dhcpd address 10.10.10.3-10.10.10.100 inside

NDNA-ASA(config)# dhcpd dns 112.110.112.5

NDNA-ASA(config)# dhcpd option 3 ip 10.10.10.1

NDNA-ASA(config)# dhcpd enable inside

Configure AAA to use the local database for authentication

NDNA-ASA(config)# username admin password NDNA1@

NDNA-ASA(config)# aaa authentication ssh console LOCAL

Configure SSH remote access to the ASA

NDNA-ASA(config)# crypto key generate rsa modulus 1024

Allow SSH connections from any host on the inside network

NDNA-ASA(config)# ssh 10.10.10.0 255.255.255.0 inside

NDNA-ASA(config)# ssh 10.10.1.3 255.255.255.255 outside

NDNA-ASA(config)# ssh timeout 10

Configure a static default route for the ASA

NDNA-ASA(config)# route outside 0.0.0.0 0.0.0.0 112.23.16.11

Configure address translation using PAT and network objects

NDNA-ASA(config)# object network INSIDE-NET

NDNA-ASA(config-network-object)# subnet 10.10.10.0 255.255.255.0

NDNA-ASA(config-network-object)# nat (inside,outside) dynamic interface

NDNA-ASA(config-network-object)# end

Add the inspection of ICMP traffic to the policy map list 

NDNA-ASA(config)# policy-map global_policy

NDNA-ASA(config-pmap)# class inspection_default

NDNA-ASA(config-pmap-c)# inspect icmp

Display the default MPF policy map to verify ICMP

CCNA-ASA(config-pmap-c)# show run policy-map

Configure the DMZ interface Gi1/1 on the ASA

Configure DMZ interface Gi1/1, which is where the public access web server will reside. Assign Gi1/1 the IP address 10.10.2.1/24, name it dmz, and assign a security level of 70

NDNA-ASA(config)# int gi1/1

NDNA-ASA(config-if)# ip address 10.10.2.1 255.255.255.0

NDNA-ASA(config-if)# nameif dmz

NDNA-ASA(config-if)# security-level 70

NDNA-ASA(config-if)# no shut

Configure static NAT to the DMZ server using a network object

NDNA-ASA(config)# object network dmz-server

NDNA-ASA(config-network-object)# host 10.10.2.3

NDNA-ASA(config-network-object)# nat (dmz,outside) static 112.23.16.11

Configure an ACL to allow access to the DMZ server from the Internet

NDNA-ASA(config)# access-list OUTSIDE-DMZ permit ip any host 10.10.2.3

NDNA-ASA(config)# access-group OUTSIDE-DMZ in interface outside

Clear the NAT counters using the clear nat counters command.

NDNA-ASA# clear nat counters

Continue Reading...

• Security: Cisco ASA Vs Cisco FTD - The Network DNA
• Site-to-Site VPN: IPSEC Tunnel Between an ASA and a Cisco IOS Router
• Cisco Security: Cisco ASA 5505 Interfaces configuration for Access Ports
• Cisco Security: Cisco ASA 5505 Interfaces configuration for Trunk Port
• Cisco ASA Series 1: Restoring the ASA to Factory Default Configuration
• Cisco ASA Series 2: Configuring NAT
• Cisco ASA Series 3: Easy VPN Remote
• Cisco ASA Series 4: Configuring VLANs and Sub interfaces
• Cisco ASA Series 5: Configuring Threat Detection
• Site to Site IPSec VPN Tunnel between Cisco ASA and Palo Alto Firewalls

More on Cisco ASA...

• Cisco: ASDM (Adaptive Security Device Manager) Vs FMC
• Part 3 Basics: Cisco ASA Commands
• Part 2 Basics: Cisco ASA Commands
• Part 1 Basics: Cisco ASA Commands
• Introduction to Cisco ASA Zone-Based Firewall