Cisco ASA Configuration

Connecting to the Cisco ASA

Management

  • Right out of the box, the firewall has a listening DHCP server on the Management interface for 192.168.1.x. Plug your workstation into the switch, and allow your connection to be automatically configured. The address of the firewall is 192.168.1.1.
  • You can of course skip this by connecting to the console port.

ASDM

  • You can now connect to the ASA via the Cisco ASDM software for complete management.
  • For your initial login, username and password should be left blank.

Console

  • The ASA software and PIX-OS 7.x software are extremely similar, if not identical. They differ mainly in that the ASA has enhanced software features not available on a PIX.

Basics of the Cisco ASA

Interfaces

  • The ASA is different from the PIX firewall in that it has multiple(four instead of two), manageable interfaces. Unless the customer's setup requirements specify otherwise, you should setup the traditional 'inside' and 'outside' interfaces. The ASA will default the security levels for the interface named 'inside' to 100, and the one named 'outside' to 0. To do this via the CLI, you will need to do so through the interface command. For example:
ciscoasa(config)# interface g0/0
ciscoasa(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# interface g0/1
ciscoasa(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ciscoasa(config-if)# no shutdown

You will see a warning in regards to the ASA setting the interface's default security level. Otherwise, you can set the security level manually by using the security-level command.

  • Additionally, this can be accomplished through the ASDM via the 'Configuration' -> 'Interfaces' options.

Standard configuration values

The following are the base configuration values that should be added to the ASA configuration that allows for administration of the device, time synchronization, and logging. If using the configuration generator, these values will already be present in the configuration.

clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name theplanet.com
hostname hwloc-CXXXX-asa55xx
enable password <removed> encrypted
passwd <removed> encrypted
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ (outside) host 12.96.160.120
timeout 5
key kn0ck!
aaa-server TACACS+ (outside) host 12.96.160.121
timeout 5
key kn0ck!
aaa authentication http console TACACS+
aaa authentication telnet console TACACS+
aaa authentication ssh console TACACS+
logging enable
logging timestamp
logging standby
logging buffered errors
logging trap errors
logging history warnings
logging asdm errors
logging host outside 12.96.160.125
ssh 70.84.160.0 255.255.255.0 outside
ssh 12.96.160.0 255.255.255.0 outside
ssh 67.19.0.0 255.255.255.0 outside
http server enable
http 70.84.160.0 255.255.255.0 outside
http 12.96.160.0 255.255.255.0 outside
http 67.19.0.0 255.255.255.0 outside
ntp server 12.96.160.1 source outside
ntp server 192.43.244.18 source outside
crypto key generate rsa
  • Full NAT Config:
hostname Cxxxx-LOC-5520
domain-name theplanet.com
names
name 12.96.160.0 dllstx2
name 67.19.0.0 dllstx4
name 70.84.160.0 dllstx5
access-list 101 permit ip any any
access-list 101 permit icmp any any
access-list 101 permit ip dllstx2 255.255.255.0 any
access-list 101 permit ip dllstx4 255.255.255.0 any
access-list 101 permit ip dllstx5 255.255.255.0 any
!
interface GigabitEthernet0/0
nameif outside
no shutdown
security-level 0
ip address x.x.x.x y.y.y.y
!
interface GigabitEthernet0/1
nameif inside
no shutdown
security-level 100
ip address ...1 255.255.255.0
!
nat (inside) 1 255.255.255.0 0 0
static (inside, outside) x.x.x.x ...2 netmask 255.255.255.255 0 0
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ (outside) host 12.96.160.120
timeout 5
key kn0ck!
aaa-server TACACS+ (outside) host 12.96.160.121
timeout 5
key kn0ck!
aaa authentication telnet console TACACS+
aaa authentication http console TACACS+
aaa authentication ssh console TACACS+
ssh 12.96.160.0 255.255.255.0 outside
ssh 67.19.0.0 255.255.255.0 outside
ssh 70.84.160.0 255.255.255.0 outside
ntp server 12.96.160.1 source outside
ntp server 216.234.234.120 source outside
crypto key generate rsa
http server enable
http 12.96.160.0 255.255.255.0 outside
http 67.19.0.0 255.255.255.0 outside
http 70.84.160.0 255.255.255.0 outside
logging enable
logging timestamp
logging console warnings
logging buffered warnings
logging trap warnings
logging history warnings
logging host outside 12.96.160.125
http 255.255.255.0 inside
telnet 255.255.255.0 inside
console timeout 5
exit
wr mem

Security Levels

The ASA allows traffic to pass from trusted to untrusted, but not the reverse. Therefore, traffic can pass from interfaces with higher security levels to interfaces with lower security levels.

  • Security level 100—The highest possible level, it is used by the inside interface by default. Using the trusted-untrusted terminology, this level is considered the most trusted.
  • Security level 0—The lowest possible level, it's used by the outside interface by default, making it the most untrusted interface. Traffic can pass from this interface to other interfaces only if manually configured to do so.
  • Security levels 1–99—Can be assigned to any other interface on the PIX. Traffic from interfaces between 1 and 99 can pass through to the outside (0), but it is prevented from passing to the inside (100). This is because the interface has a lower security level setting than the inside.

Security levels are a very import concept with ASA configuration. Remember, only higher security-level traffic can pass to lower security-level interfaces by default. The default value for the inside interface is 100, and the outside value is 0. Image:Securitylevels.jpg