HOW TO: ASA Firewall basic configuration lab

LinkedIn
Facebook
Facebook
Google+
https://netfixpro.com/asa-fw-basic-config-lab/
RSS
Follow by Email

This article demonstrates some basic configuration on Cisco ASA Firewall. I am using an ASA firewall running 9.x code for this lab. You should be able to replicate this step by step configuration in your lab as well. Let’s get started.

How to configure a hostname
ciscoasa# conf t (enable mode) 
ciscoasa(config)# hostname LAB-ASA
LAB-ASA(config)#
How To configure Enable Password
LAB-ASA(config)# enable password N3tFixPr0
LAB-ASA(config)# exit
How to configure an interface
LAB-ASA(config)# interface GigabitEthernet1
LAB-ASA(config)# nameif INSIDE
LAB-ASA(config)# ip address 10.10.10.1 255.255.255.0
LAB-ASA(config)# no shutdown
LAB-ASA(config)# speed 1000
LAB-ASA(config)# duplex full

To configure an interface,

  • Nameif command is mandatory; It gives a logical name to the interface. Without the nameif command, even though the interface is in the UP/UP state, it cannot be used for traffic forwarding.
  • IP Address is mandatory; It is configured with the command ip address <IP> <MASK> standby <IP> <MASK>;
  • Speed and Duplex are optional; It is configured with the commands speed [10|100|1000|auto] and duplex [half|full|auto]; By default, all interfaces are set to auto-negotiating both speed and duplex.
  • Security Level is optional; It is configured with the command security level <0-100>; By default, ASA assigns the following implicit security levels to interfaces:
    • 100 to a nameif of inside.
    • 0 to a nameif of outside.
    • 0 to all other nameifs.
NOTE:

By default, Traffic from high-security level to low-security level is allowed by default (for example, from 100 to 0) and traffic from low-security level to high-security level is denied by default (for example, from 0 to 100); In both cases, an ACL must be configured and applied (at interface level or global level) to restrict the access.

Also, Traffic between interfaces with an identical security level is denied by default (for example, from 20 to 20); to allow traffic in this situation, the command same-security-traffic permit inter-interface must be configured.

How to enable telnet access

In the following example, I am demonstrating telnet access from the host 10.10.10.10, the network 10.10.10.0/24 and from anyone coming via the INSIDE segment using local authentication.

LAB-ASA(config)# telnet 10.10.10.10 255.255.255.255 INSIDE  (to allow single host) 
LAB-ASA(config)# telnet 10.10.10.0 255.255.255.0 INSIDE     (to allow the n/w) 
LAB-ASA(config)# telnet 0.0.0.0 0.0.0.0 INSIDE              (to allow anyone)
LAB-ASA(config)# username NetFixPro password N3tFixPr0 privilege 15 
LAB-ASA(config)# aaa authentication telnet console LOCAL
NOTE:
You cannot use Telnet connectivity from the lowest security interface unless you use Telnet inside an IPSec tunnel.
How to enable SSH access

SSH is an application running on top of a reliable transport layer, such as TCP/IP, that provides strong authentication and encryption capabilities. The ASA supports the SSH Versions 1 and 2 with DES and 3DES ciphers. You may want to allow SSH connections to the ASA for management purposes.

In the following example, I am generating an RSA key using netfixpro.com as my domain name and then I am enabling an SSH access from 10.10.10.0/24 subnet using local authentication.

LAB-ASA(config)# domain-name netfixpro.com

LAB-ASA(config)# crypto key generate rsa
INFO: The name for the keys will be: <Default-RSA-Key> 
Keypair generation process begin. Please wait... 

LAB-ASA(config)# ssh 10.10.10.0 255.255.255.0 INSIDE
LAB-ASA(config)# username NetFixPro password N3tFixPr0 privilege 15 
LAB-ASA(config)# aaa authentication ssh console LOCAL
How to enable HTTP server

ASDM requires HTTP access and it’s disabled by default. In this following example, I am enabling an HTTP access from 10.10.10.0/24 network via INSIDE segment.

LAB-ASA(config)# http server enable 
LAB-ASA(config)# http 10.10.10.0 255.255.255.0 INSIDE
LAB-ASA(config)# username NetFixPro password N3tFixPr0 privilege 15
LAB-ASA(config)# asdm image disk0:/asdm-731.bin

I hope you enjoyed this article. Please feel free to leave a comment or feedback.

LinkedIn
Facebook
Facebook
Google+
https://netfixpro.com/asa-fw-basic-config-lab/
RSS
Follow by Email

Ashutosh Patel

Ashutosh Patel is the Author and editor of netfixpro.com. He currently works as a Network Security Architect. Follow him on following social media to know more about him.

Leave a Reply

Your email address will not be published. Required fields are marked *

Show Buttons
Hide Buttons

Enjoy this article? Please spread the word :)