Vous êtes sur la page 1sur 10

Step-By-Step Configuration Guide For The Cisco Asa 5505 Firewall

The Cisco ASA 5505 Firewall is the smallest model in the new 5500 Cisco series of hardware appliances. Although this model is suitable for small businesses, branch offices or even home use, its firewall security capabilities are the same as the biggest models (5510, 5520, 5540 etc). The Adaptive Security technology of the ASA firewalls offers solid and reliable firewall protection, advanced application aware security, denial of service attack protection and much more. Moreover, the performance of the ASA 5505 appliance supports 150Mbps firewall throughput and 4000 firewall connections per second, which is more than enough for small networks. In this article I will explain the basic configuration steps needed to setup a Cisco 5505 ASA firewall for connecting a small network to the Internet. We assume that our ISP has assigned us a static public IP address (e.g 200.200.200.1 as an example) and that our internal network range is 192.168.1.0/24. We will use Port Address Translation (PAT) to translate our internal IP addresses to the public address of the outside interface. The difference of the 5505 model from the bigger ASA models is that it has an 8-port 10/100 switch which acts as Layer 2 only. That is, you can not configure the physical ports as Layer 3 ports, rather you have to create interface Vlans and assign the Layer 2 interfaces in each VLAN. By default, interface Ethernet0/0 is assigned to VLAN 2 and it's the outside interface (the one which connects to the Internet), and the other 7 interfaces (Ethernet0/1 to 0/7) are assigned by default to VLAN 1 and are used for connecting to the internal network. Let's see the basic configuration setup of the most important steps that you need to configure.

Step1: Configure the internal interface vlan


-----------------------------------------------------ASA5505(config)# interface Vlan 1 ASA5505(config-if)# nameif inside ASA5505(config-if)# security-level 100 ASA5505(config-if)# ip address 192.168.1.1 255.255.255.0 ASA5505(config-if)# no shut

Step 2: Configure the external interface vlan (connected to Internet)


------------------------------------------------------------------------------------ASA5505(config)# interface Vlan 2 ASA5505(config-if)# nameif outside ASA5505(config-if)# security-level 0 ASA5505(config-if)# ip address 200.200.200.1 255.255.255.0 ASA5505(config-if)# no shut

Step 3: Assign Ethernet 0/0 to Vlan 2


------------------------------------------------ASA5505(config)# interface Ethernet0/0 ASA5505(config-if)# switchport access vlan 2 ASA5505(config-if)# no shut

Step 4: Enable the rest interfaces with no shut


-------------------------------------------------ASA5505(config)# interface Ethernet0/1 ASA5505(config-if)# no shut Do the same for Ethernet0/1 to 0/7.

Step 5: Configure PAT on the outside interface


----------------------------------------------------ASA5505(config)# global (outside) 1 interface ASA5505(config)# nat (inside) 1 0.0.0.0 0.0.0.0

Step 6: Configure default route towards the ISP (assume default gateway is 200.200.200.2)
--------------------------------------------------------------------------------------ASA5505(config)# route outside 0.0.0.0 0.0.0.0 200.200.200.2 1 The above steps are the absolutely necessary steps you need to configure for making the appliance operational. Of course there are much more configuration details that you need to implement in order to enhance the security and functionality of your appliance, such as Access Control Lists, Static NAT, DHCP, DMZ zones, authentication etc.

Cisco ASA 5500 Firewall Configuration User Interface and Access Modes
This article describes the user interface and access modes and commands associated with the operation of Cisco ASA 5500 firewall appliances. We assume that you know how to connect to the appliance using a console cable (the blue flat cable with RJ-45 on one end, and DB-9 Serial on the other end) and a Terminal Emulation software (e.g HyperTerminal), and how to use basic Command Line Interface. A Cisco ASA security appliance has four main administrative access modes:

Monitor Mode: Displays the monitor> prompt. A special mode that enables you to update the image over the network or to perform password recovery. While in the monitor mode, you can enter commands to specify the location of a TFTP server and the location of the software image or password recovery binary image file to download. You access this mode by pressing the "Break" or "ESC" keys immediately after powering up the appliance. Unprivileged Mode: Displays the > prompt. Available when you first access the appliance. If the appliance
2

is a Cisco PIX 500 series, the prompt for unprivileged mode is pixfirewall> and if the appliance is the new Cisco ASA 5500 Series, the prompt is ciscoasa>

Ads by Google

Wireless Telemetry
Easy, Affordable Wireless Telemetry License-free, bi-directional I/O www.pribusin.com

Bosch 7301
Bosch Industrial Spark Plug Half Price Sale www.splugs.com

This mode provides restricted view of the security appliance. You cannot configure anything from this mode. To get started with configuration, the first command you need to know is the enable command. Type enable and hit Enter. The initial password is empty, so hit Enter again to move on the next access mode (Privileged Mode). ciscoasa> enable <-- Unprivileged Mode password: <-- Enter a password here (initially its blank) ciscoasa# <-- Privileged Mode

Privileged Mode: Displays the # prompt. Enables you to change the current settings. Any unprivileged command also works in this mode. From this mode you can see the current configuration by using show running-config. Still, you cannot configure anything yet until you go to Configuration Mode. You access the Configuration Mode using the "configure terminal" command from the Privileged Mode. Configuration Mode: This mode displays the (config)# prompt. Enables you to change all system configuration settings. Use exit from each mode to return to the previous mode.

ciscoasa> enable <-- Unprivileged Mode password: <-- Enter a password here (initially its blank) ciscoasa# configure terminal <-- Privileged Mode ciscoasa(config)# <-- Configuration Mode ciscoasa(config)# exit ciscoasa# exit <-- Back to Privileged Mode ciscoasa> <-- Back to Unprivileged Mode The (config)# mode is sometimes called Global Configuration Mode. Some configuration commands from this mode enter a command-specific mode and the prompt changes accordingly. For example the interface command enters interface configuration mode as shown below: ciscoasa(config)# interface GigabitEthernet0/1 ciscoasa(config-if)# <-- Configure Interface specific parameters

Configure IP Spoofing and IPS Protection with a Cisco ASA 5500 Firewall
The Cisco ASA firewall appliance provides great security protection out-of-the box with its default configuration. However, to increase the security protection even further, there are several configuration enhancements that can be used to implement additional security features. Two of these features are IP Spoofing protection and basic Intrusion Prevention (IPS) support. IP Spoofing Protection IP spoofing attacks are those that change the actual source IP address of packets to obscure their true origin. This means that packets arriving at a particular interface (e.g inside) must have a valid source IP address that matches the correct source interface according to the firewall routing table. Normally the firewall only looks at the destination address of a packet in order to forward it accordingly. If you enable the IP Spoofing mechanism, the firewall checks also the source address of the packets. If for example our inside interface connects to internal network 192.168.1.0/24, this means that packets arriving at the inside firewall interface must have a source address in the range 192.168.1.0/24 otherwise they will be dropped (if IP Spoofing is configured). The IP Spoofing feature uses the Unicast Reverse Path Forwarding (Unicast RPF) mechanism, which dictates that for any traffic that you want to allow through the security appliance, the security appliance routing table must include a route back to the source address.
Ads by Google

To enable IP Spoofing protection, enter the following command: CiscoASA5500(config)# ip verify reverse-path interface "interface_name" For example, to enable IP spoofing on the inside interface, use the following command: CiscoASA5500(config)# ip verify reverse-path interface inside Basic IPS Protection Although the ASA Firewall supports full IPS functionality with an extra IPS hardware
4

module (AIP-SSM), it supports also basic IPS protection which is built-in by default without using an extra hardware module. The built-in IPS feature supports a basic list of signatures and you can configure the security appliance to perform one or more actions on traffic that matches a signature. The command that implements the basic IPS feature is called "ip audit". There are two signature groups embedded in the firewall software: "Informational" and "Attack" signatures. You can define an IP audit policy for each signature group as following: For informational signatures: CiscoASA5500 (config)# ip audit name "name" info [action [alarm] [drop] [reset]] For attack signatures: CiscoASA5500 (config)# ip audit name "name" attack [action [alarm] [drop] [reset]] The keywords [alarm], [drop], [reset] define the actions to perform on a malicious packet that matches one of the signatures. [alarm] generates a system message showing that a packet matched a signature, [drop] drops the packet, and [reset] drops the packet and closes the connection. After defining an IP audit policy (IPS policy) as shown above, we need to attach the policy to a specific interface: CiscoASA5500(config)# ip audit interface "interface_name" " policy_name" Let's see an actual example: CiscoASA5500 (config)# ip audit name dropattacks attack action drop CiscoASA5500 (config)# ip audit interface outside dropattacks

Configure a Cisco ASA 5505 with Dual ISP Backup Connection


In this article I will explain how to configure a Cisco ASA 5505 firewall to connect to dual ISPs for redundancy purposes. Suppose that we have a primary high-speed ISP connection, and a cheaper DSL line connected to a Secondary ISP. Normally all of our traffic should flow through the primary ISP. If the primary link fails, the secondary DSL connection should be utilized for Internet access. Please note that the above scenario is valid only for Outbound traffic (i.e. from our internal network towards the Internet). The functionality that I will describe below works for ASA 5505 version 7.2(1) and above. Assume that we are assigned a static Public IP address of 100.100.100.1 from Primary ISP and another static Public IP address of 200.200.200.1 from our Backup ISP. We will use Ethernet 0/0 for connecting to Primary ISP, Ethernet 0/1 for connecting to our Internal LAN, and Ethernet 0/2 for connecting to our Backup ISP. We will create three VLANs to support our configuration. VLAN1 (the default Vlan) will be assigned to Ethernet 0/1 (inside), VLAN2 will be assigned to Ethernet 0/0 (primary-isp) and VLAN3 will be assigned to Ethernet 0/2 (backup-isp). We also have to configure two static default routes pointing to the ISP gateway address. The primary ISP default route shall have a metric of 1 and the backup ISP default route shall have a metric bigger than 1 (let's say 2). Let us see the configuration below: ASA5505(config)# interface ethernet 0/0 ASA5505(config-if)# switchport access vlan 2 ASA5505(config-if)# no shutdown ASA5505(config)# interface ethernet 0/1 ASA5505(config-if)# switchport access vlan 1 ASA5505(config-if)# no shutdown ASA5505(config)# interface ethernet 0/2 ASA5505(config-if)# switchport access vlan 3 ASA5505(config-if)# no shutdown ASA5505(config)# interface vlan 1 ASA5505(config-if)# nameif inside ASA5505(config-if)# security-level 100 ASA5505(config-if)# ip address 192.168.1.1 255.255.255.0 ASA5505(config-if)# no shutdown ASA5505(config)# interface vlan 2 ASA5505(config-if)# nameif primary-isp ASA5505(config-if)# security-level 0 ASA5505(config-if)# ip address 100.100.100.1 255.255.255.0 ASA5505(config-if)# backup interface vlan 3 ASA5505(config-if)# no shutdown ASA5505(config)# interface vlan 3
6

ASA5505(config-if)# nameif backup-isp ASA5505(config-if)# security-level 1 ASA5505(config-if)# ip address 200.200.200.1 255.255.255.0 ASA5505(config-if)# no shutdown ASA5505(config)# route primary-isp 0.0.0.0 0.0.0.0 100.100.100.2 1 ASA5505(config)# route backup-isp 0.0.0.0 0.0.0.0 200.200.200.2 2

Cisco ASA 5510 Firewall : Basic Configuration Tutorial


Continuing our series of articles about Cisco ASA 5500 firewalls, I'm offering you here a basic configuration tutorial for the Cisco ASA 5510 security appliance. This device is the second model in the ASA series (ASA 5505, 5510, 5520 etc) and is fairly popular since is intended for small to medium enterprises. Like the smallest ASA 5505 model, the 5510 comes with two license options: The Base license and the Security Plus license. The second one (security plus) provides some performance and hardware enhancements over the base license, such as 130,000 Maximum firewall connections (instead of 50,000), 100 Maximum VLANs (instead of 50), Failover Redundancy, etc. Also, the security plus license enables two of the five firewall network ports to work as 10/100/1000 instead of only 10/100. Next we will see a simple Internet Access scenario which will help us understand the basic steps needed to setup an ASA 5510. Assume that we are assigned a static public IP address 100.100.100.1 from our ISP. Also, the internal LAN network belongs to subnet 192.168.10.0/24. Interface Ethernet0/0 will be connected on the outside (towards the ISP), and Ethernet0/1 will be connected to the Inside LAN switch. The firewall will be configured to supply IP addresses dynamically (using DHCP) to the internal hosts. All outbound communication (from inside to outside) will be translated using Port Address Translation (PAT) on the outside public interface. Let's see a snippet of the required configuration steps for this basic scenario: Step1: Configure a privileged level password (enable password) By default there is no password for accessing the ASA firewall, so the first step before doing anything else is to configure a privileged level password, which will be needed to allow subsequent access to the appliance. Configure this under Configuration Mode: ASA5510(config)# enable password mysecretpassword Step2: Configure the public outside interface ASA5510(config)# interface Ethernet0/0 ASA5510(config-if)# nameif outside ASA5510(config-if)# security-level 0

ASA5510(config-if)# ip address 100.100.100.1 255.255.255.252 ASA5510(config-if)# no shut Step3: Configure the trusted internal interface ASA5510(config)# interface Ethernet0/1 ASA5510(config-if)# nameif inside ASA5510(config-if)# security-level 100 ASA5510(config-if)# ip address 192.168.10.1 255.255.255.0 ASA5510(config-if)# no shut Step 4: Configure PAT on the outside interface ASA5510(config)# global (outside) 1 interface ASA5510(config)# nat (inside) 1 0.0.0.0 0.0.0.0 Step 5: Configure Default Route towards the ISP (assume default gateway is 100.100.100.2) ASA5510(config)# route outside 0.0.0.0 0.0.0.0 100.100.100.2 1 Step 6: Configure the firewall to assign internal IP and DNS address to hosts using DHCP ASA5510(config)# dhcpd dns 200.200.200.10 ASA5510(config)# dhcpd address 192.168.10.10-192.168.10.200 inside ASA5510(config)# dhcpd enable inside The above basic configuration is just the beginning for making the appliance operational. There are many more configuration features that you need to implement to increase the security of your network, such as Static and Dynamic NAT, Access Control Lists to control traffic flow, DMZ zones, VPN etc.

Understanding the 8 Base Commands on a Cisco ASA Security Appliance


There are literally thousands of commands and sub-commands available to configure a Cisco security appliance. As you gain knowledge of the appliance, you will use more and more of the commands. Initially, however, there are just a few commands required to configure basic functionality on the appliance. Basic functionality is defined as allowing inside hosts to access outside hosts, but not allowing outside hosts to access the inside hosts. Additionally, management must be allowed from at least one inside host. Here are eight basic commands: **interface** The interface command identifies either the hardware interface or the VLAN interface that will be configured. Once in interface configuration mode, you can assign physical interfaces to switchports and enable them (turn them on) or you can assign names and security levels to VLAN interfaces. **nameif** The nameif command gives the interface a name and assigns a security level. Typical names are outside, inside, or DMZ. **security-level** Security levels are used by the appliance to control traffic flow. Traffic is permitted to flow from interfaces with higher security levels to interfaces with lower security levels, but not the other way. Access-lists must be used to permit traffic to flow from lower security levels to
8

higher security levels. Security levels range from 0 to 100. The default security level for an outside interface is 0. For an inside interface, the default security level is 100. In the following sample configuration, the interface command is first used to name the inside and outside VLAN interfaces, then the DMZ interface is named and a security level of 50 is assigned to it.

ciscoasa(config)# interface vlan1 ciscoasa(config-if)# nameif inside INFO: Security level for "inside" set to 100 by default. ciscoasa(config-if)# interface vlan2 ciscoasa(config-if)# nameif outside INFO: Security level for "outside" set to 0 by default. ciscoasa(config-if)#interface vlan3 ciscoasa(config-if)# nameif dmz ciscoasa(config-if)# security-level 50 **ip address** The ip address command assigns an IP address to a VLAN interface either statically or by making it a DHCP client. With modern versions of security appliance software, it is not necessary to explicitly configure default subnet masks. If you are using non-standard masks, you must explicitly configure the mask, but otherwise, it's not necessary. In the following sample configuration, an IP address is assigned to VLAN 1, the inside interface.

ciscoasa(config-if)# interface vlan 1 ciscoasa(config-if)# ip address 192.168.1.1 **switchport access**

The switchport access command on the ASA 5505 security appliance assigns a physical interface to a logical (VLAN) interface. In the next example, the interface command is used to identify physical interfaces, assign them to switchports on the appliance, and enable them (turn them on) through the use of the "no shutdown" statement.

ciscoasa(config-if)# interface ethernet 0/0 ciscoasa(config-if)# switchport access vlan 2 ciscoasa(config-if)# no shutdown ciscoasa(config-if)# interface ethernet 0/1 ciscoasa(config-if)# switchport access vlan 1 ciscoasa(config-if)# no shutdown

**nat** The nat command enables network address translation on the specified interface for the specified subnet. In this sample, configuration, NAT is enabled on the inside interface for hosts on the 192.168.1.0/24 subnet. The number "1" is the NAT I.D. which will be used by the global
9

command to associate a global address or pool with the inside addresses. (Note: NAT 0 is used to prevent the specified group of addresses from being translated.) ciscoasa(config)# nat (inside) 1 192.168.1.0 255.255.255.0

**global** The global command works in tandem with the nat command. It identifies the interface (usually outside) through which traffic from nat'ed hosts (usually inside hosts) must flow. It also identifies the global address which nat'ed hosts will use to connect to the outside world. In the following sample, the hosts associated with NAT I.D. 1 will use the global address 12.3.4.5 on the outside interface. ciscoasa(config)# global (outside) 1 12.3.4.5 In this additional example of the use of the "global" command, the interface statement tells the firewall that hosts associated with NAT I.D. 1 will use the DHCP-assigned global address on the outside interface. ciscoasa(config)# global (outside) 1 interface

**route** The route command, in its most basic form, assigns a default route for traffic, typically to an ISP's router. It can also be used in conjunction with access-lists to send specific types of traffic to specific hosts on specific subnets. In this sample configuration, the route command is used to configure a default route to the ISP's router at 12.3.4.6. The two zeroes before the ISP's router address are shorthand for an IP address of 0.0.0.0 and a mask of 0.0.0.0. The statement outside identifies the interface through which traffic will flow to reach the default route. ciscoasa(config-if)# route outside 0 0 12.3.4.6 The above commands create a very basic firewall, but frankly, using a sophisticated device such as a Cisco PIX or ASA security appliance to perform such basic firewall functions is overkill. Other commands to use include hostname to identify the firewall, telnet or SSH to allow remote administration, DHCPD commands to allow the firewall to assign IP addresses to inside hosts, and static route and access-list commands to allow internal hosts such as DMZ Web servers or DMZ mail servers to be accessible to Internet hosts.

10