The Cisco ASA appliance retains clock settings in memory via a battery on the device motherboard. Even if the device is turned off, the clock is retained in memory. Configuring accurate time settings on the appliance is important for logging purposes since syslog messages can contain a time stamp according to the device clock time setting. If you want the syslog messages to include a time-stamp value, you must first configure the clock (using clock set command) and then enable time-stamps using logging timestamp command (more on syslog configuration in later sections). Having a time-stamp value on log messages is important for event tracing and forensic purposes when a security incident occurs.

Another important reason for setting the correct time on the ASA firewall is when you use PKI (Public Key Infrastructure) with digital certificates for authentication of IPSEC VPN peers. The ASA firewall uses the local appliance clock to make sure that a Digital Certificate is not expired. When using PKI digital certificates, set the firewall clock to UTC time zone.

Configure Clock Settings:

To configure the clock settings of the ASA appliance, use the clock set command as shown below:

ciscoasa# clock set hh:mm:ss [day month | month day] year

Example:

ciscoasa# clock set 18:30:00 Apr 10 2009

To verify the correct clock on the appliance, use the show clock command.

Configure Time Zone and Daylight Saving Time:

To configure the time zone and the summer daylight saving time use the commands below:

ciscoasa# config t
ciscoasa(config)# clock timezone [zone name] [offset hours from UTC]
ciscoasa(config)# clock summer-time [zone name] recurring [week weekday month hh:mm week weekday month hh:mm] [offset]

Example:

ciscoasa(config)# clock timezone MST -7
ciscoasa(config)# clock summer-time MST recurring 1 Sunday April 2:00 last Sunday October 2:00

Configure Network Time Protocol (NTP):

If there is an NTP server in the network that provides accurate clock settings, then you can configure the firewall to synchronize its time with the NTP server. Both an authenticated and non-authenticated NTP is supported:

Non-Authenticated NTP:

ciscoasa(config)# ntp server [ip address of NTP] source [interface name]

Example:

ciscoasa(config)# ntp server 10.1.23.45 source inside

Authenticated NTP:

ciscoasa(config)# ntp authenticate
ciscoasa(config)# ntp authentication-key [key ID] md5 [ntp key]
ciscoasa(config)# ntp trusted-key [key ID]
ciscoasa(config)# ntp server [ip address of NTP] key [key ID] source [intf name]

Example:

ciscoasa(config)# ntp authenticate
ciscoasa(config)# ntp authentication-key 32 md5 secretkey1234
ciscoasa(config)# ntp trusted-key 32
ciscoasa(config)# ntp server 10.1.2.3 key 32 source inside

The Cisco ASA 5505 Firewall is the smallest model in the new 5500 Cisco series of hardware appliances. Although this model is suitable for small businesses, branch offices or even home use, its firewall security capabilities are the same as the biggest models (5510, 5520, 5540 etc). The Adaptive Security technology of the ASA firewalls offers solid and reliable firewall protection, advanced application aware security, denial of service attack protection and much more. Moreover, the performance of the ASA 5505 appliance supports 150Mbps firewall throughput and 4000 firewall connections per second, which is more than enough for small networks.

In this article I will explain the basic configuration steps needed to setup a Cisco 5505 ASA firewall for connecting a small network to the Internet. We assume that our ISP has assigned us a static public IP address (e.g 200.200.200.1 as an example) and that our internal network range is 192.168.1.0/24. We will use Port Address Translation (PAT) to translate our internal IP addresses to the public address of the outside interface. The difference of the 5505 model from the bigger ASA models is that it has an 8-port 10/100 switch which acts as Layer 2 only. That is, you can not configure the physical ports as Layer 3 ports, rather you have to create interface Vlans and assign the Layer 2 interfaces in each VLAN. By default, interface Ethernet0/0 is assigned to VLAN 2 and its the outside interface (the one which connects to the Internet), and the other 7 interfaces (Ethernet0/1 to 0/7) are assigned by default to VLAN 1 and are used for connecting to the internal network. Let’s see the basic configuration setup of the most important steps that you need to configure. The diagram below illustrates the network topology for the configuration setup that we will describe. Notice from the diagram that port Ethernet0/0 connects to the Internet, and ports Ethernet0/1 to 7 connect to internal hosts (PC computers etc).

Step1: Configure the internal interface vlan

ASA5505(config)# interface Vlan 1
ASA5505(config-if)# nameif inside
ASA5505(config-if)# security-level 100
ASA5505(config-if)# ip address 192.168.1.1 255.255.255.0
ASA5505(config-if)# no shut

Step 2: Configure the external interface vlan (connected to Internet)

ASA5505(config)# interface Vlan 2
ASA5505(config-if)# nameif outside
ASA5505(config-if)# security-level 0
ASA5505(config-if)# ip address 200.200.200.1 255.255.255.0
ASA5505(config-if)# no shut

Step 3: Assign Ethernet 0/0 to Vlan 2

ASA5505(config)# interface Ethernet0/0
ASA5505(config-if)# switchport access vlan 2
ASA5505(config-if)# no shut

Step 4: Enable the rest interfaces with no shut

ASA5505(config)# interface Ethernet0/1
ASA5505(config-if)# no shut

Do the same for Ethernet0/1 to 0/7.

Step 5: Configure PAT on the outside interface

ASA5505(config)# global (outside) 1 interface
ASA5505(config)# nat (inside) 1 0.0.0.0 0.0.0.0

UPDATE for ASA Version 8.3

From March 2010, Cisco announced the new Cisco ASA software version 8.3. This version introduced several important configuration changes, especially on the NAT/PAT mechanism. The “global” command is no longer supported. NAT (static and dynamic) and PAT are configured under network objects. The PAT configuration below is for ASA 8.3 and later:

object network obj_any
subnet 0.0.0.0 0.0.0.0
nat (inside,outside) dynamic interface

Step 6: Configure default route towards the ISP (assume default gateway is 200.200.200.2)

ASA5505(config)# route outside 0.0.0.0 0.0.0.0 200.200.200.2 1

The above steps are the absolutely necessary steps you need to configure for making the appliance operational. Of course there are much more configuration details that you need to implement in order to enhance the security and functionality of your appliance, such as Access Control Lists, Static NAT, DHCP, DMZ zones, authentication etc.

Download the best configuration tutorial for any Cisco ASA 5500 Firewall model Here.

A classic network scenario for many enterprises is to have a Cisco border router for internet access and a Cisco ASA firewall behind this router for protection of the internal LAN or for building a DMZ network. This scenario is shown in the figure below:

Assume that our enterprise is assigned a public IP address range of 50.50.50.0/27 (that is a 32 address subnet). The usable addresses in this subnet range between 50.50.50.1 and 50.50.50.30. In our example we assign 50.50.50.1 to the outside interface of the Cisco router and 50.50.50.2 is the ISP gateway router. Also, we need to use address 50.50.50.3 for accessing a DMZ web server which has a real private address of 10.10.10.1.
 
Between the Cisco Router and the outside interface of the Cisco ASA we have a private subnet 10.0.0.0/24. Also, the inside internal LAN subnet is 192.168.1.0/24. The inside IP address of the ASA is 192.168.1.1.

Traffic Flow:

We need to achieve the following traffic flow:

1) All Internal LAN hosts (192.168.1.0) should be able to access the Internet (outbound communication). No access initiated from the Internet should be allowed towards the Internal LAN network.

2) Also, we need to allow access from the Internet towards our DMZ Web Server (inbound communication).

Implementation:

There are a few ways you can follow to achieve the functionality above. For sure we need to perform NAT on the border Cisco Router to translate our internal private addresses to public addresses assigned by our ISP. We have the option also to perform additional NAT on the ASA firewall, which however I wouldn’t recommend.

The way I would configure such a scenario is the following:
 

• 1) For outbound communication (Internal LAN towards the Internet), do not translate the network 192.168.1.0/24 on the Cisco ASA. Rather create a static mapping of 192.168.1.0 to itself (will see this below) and configure NAT overload on the Cisco Router for the network 192.168.1.0/24.
• 2) For inbound communication (Internet towards Web Server), create again a static mapping on the ASA for address 10.10.10.1 to itself, and perform static NAT on the Cisco Router to map 10.10.10.1 to 50.50.50.3

Configuration:

Below I will show you snapshots of the configuration for both the Cisco Router and the Cisco ASA that will achieve the functionality above.

Cisco ASA:

ciscoasa(config)# interface GigabitEthernet0/0
ciscoasa(config-if)# nameif outside
ciscoasa(config-if)# ip address 10.0.0.2 255.255.255.0
ciscoasa(config-if)# security-level 0
ciscoasa(config-if)# no shutdown

ciscoasa(config)# interface GigabitEthernet0/1
ciscoasa(config-if)# nameif inside
ciscoasa(config-if)# ip address 192.168.1.1 255.255.255.0
ciscoasa(config-if)# security-level 100
ciscoasa(config-if)# no shutdown

ciscoasa(config)# interface GigabitEthernet0/3
ciscoasa(config-if)# nameif DMZ
ciscoasa(config-if)# ip address 10.10.10.2 255.255.255.0
ciscoasa(config-if)# security-level 50
ciscoasa(config-if)# no shutdown

! Now create a static NAT mapping of 192.168.1.0 to itself
ciscoasa(config)# static (inside , outside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

! Create also a static NAT mapping of 10.10.10.1 Web Server to itself
ciscoasa(config)# static (DMZ , outside) 10.10.10.1 10.10.10.1 netmask 255.255.255.255

! Create an access-list to allow Inbound traffic to Web server only
ciscoasa(config)# access-list OUTSIDE-IN extended permit tcp any host 10.10.10.1 eq 80
ciscoasa(config)# access-group OUTSIDE-IN in interface outside

ciscoasa(config)# route outside 0.0.0.0 0.0.0.0 10.0.0.1

Cisco Router:

interface ethernet 0
 ip address 50.50.50.1 255.255.255.224
 ip nat outside
!
interface ethernet 1
 ip address 10.0.0.1 255.255.255.0
 ip nat inside

!Assume the router uses address 50.50.50.4 for all outbound communication
ip nat pool IP-POOL 50.50.50.4 50.50.50.4 netmask 255.255.255.255
ip nat inside source list 1 pool IP-POOL overload
access-list 1 permit 192.168.1.0 0.0.0.255

!Configure Static NAT to map 10.10.10.1 to 50.50.50.3
ip nat inside source static 10.10.10.1 50.50.50.3

ip route 0.0.0.0 0.0.0.0 50.50.50.2
ip route 192.168.1.0 255.255.255.0 10.0.0.2
ip route 10.10.10.0 255.255.255.0 10.0.0.2