Cisco ASA Firewall Archives

Virtual private networks, and really VPN services of many types, are similar in function but different in setup. In a previous post (anyconnect ssl vpn) I briefly explained the general functionality of a new remote access vpn technology, the AnyConnect SSL client VPN. The Cisco AnyConnect VPN is supported on the new ASA 8.x software version and provides remote access to users with just a secure Web Browser (https). The AnyConnect client software supports Windows Vista, XP, 2000, MAC OS X and Linux. The client can either be preinstalled to remote user’s PC or it can be loaded to ASA flash and uploaded to remote user’s PC when they connect to the ASA. You have also the option to uninstall the client from the remote user when he/she disconnects from the ASA.

EDIT: My new ebook, “Cisco VPN Configuration Guide – By Harris Andrea” provides a comprehensive technical tutorial about all types of VPNs that you can configure on Cisco Routers and ASA Firewalls (including of course SSL Anyconnect or IPSEC Remote Access VPNs).

In this post I will explain the technical details to configure AnyConnect SSL VPN on Cisco ASA 5500. I assume that we use the AnyConnect client version 2.0 which will be stored on ASA flash and uploaded to remote user on demand. The same configuration applies for newer versions of AnyConnect. The remote users, after successful authentication, will receive an IP address from local ASA pool The internal ASA network will use subnet range

Therefore, after the remote user successfully authenticates on Cisco ASA with the AnyConnect client, he will receive an IP address in the range to 50 and he will be able to access resources in the internal LAN network

Upload AnyConnect to ASA

The first step is to obtain the AnyConnect client software from the Cisco Software Download Website. You will need to download the appropriate software version according to the Operating System that your users have on their computers.

Assume the software vpn client file is “anyconnect-win-2.0.0343-k9.pkg”.

ASA(config)# copy tftp flash
Address or name of remote host ?
Source filename ? anyconnect-win-2.0.0343-k9.pkg
Destination filename [anyconnect-win-2.0.0343-k9.pkg]?

Accessing tftp://…!!!!!!!!!!!!!
Writing file disk0:/anyconnect-win-2.0.0343-k9.pkg…

Configuring the Cisco ASA

! Specify the AnyConnect image to be downloaded by users
ASA(config-webvpn)#anyconnect image disk0:/anyconnect-win-2.0.0343-k9.pkg 1

! Enable AnyConnect access on the outside ASA interface
ASA(config-webvpn)#enable outside
ASA(config-webvpn)#anyconnect enable

! Create a local IP address pool to assign for remote users
ASA(config)# ip local pool SSLClientPool mask

! Configure NAT exemption for traffic between internal LAN and remote users

For ASA Version prior to 8.3
ASA(config)#access-list NONAT extended permit ip

ASA(config)# nat (inside) 0 access-list NONAT

For ASA Version 8.3 and later

object network INSIDE-HOSTS
 object network VPN-HOSTS
 nat (inside,outside) source static INSIDE-HOSTS INSIDE-HOSTS  destination static VPN-HOSTS VPN-HOSTS

! Create usernames that will use the AnyConnect remote access only
ASA(config)#username userA password test123
ASA(config)#username userA attributes
ASA(config-username)# service-type remote-access

ASA(config)#username userB password test12345
ASA(config)#username userB attributes
ASA(config-username)# service-type remote-access

! Create a group policy with configuration parameters that should be applied to clients (there are two options available here according to the ASA version you are running)

ASA(config)# group-policy SSLCLientPolicy internal

ASA(config)# group-policy SSLCLientPolicy attributes
ASA(config-group-policy)# dns-server value
ASA(config-group-policy)# vpn-tunnel-protocol svc
ASA(config-group-policy)# address-pools value SSLClientPool

ASA(config)# group-policy SSLCLientPolicy internal
ASA(config)# group-policy SSLCLientPolicy attributes
ASA(config-group-policy)# dns-server value
ASA(config-group-policy)# address-pools value SSLClientPool
ASA(config-group-policy)# webvpn
ASA(config-group-webvpn))#vpn-tunnel-protocol svc

! Allow the AnyConnect traffic to bypass access lists
ASA(config)# sysopt connection permit-vpn

! Create tunnel group profile to define connection parameters
ASA(config)# tunnel-group SSLClientProfile type remote-access
ASA(config)# tunnel-group SSLClientProfile general-attributes
ASA(config-tunnel-general)# default-group-policy SSLCLientPolicy
ASA(config-tunnel-general)# tunnel-group SSLClientProfile webvpn-attributes
ASA(config-tunnel-webvpn)# group-alias SSLVPNClient enable
ASA(config-tunnel-webvpn)# webvpn
ASA(config-webvpn)#tunnel-group-list enable

How to Connect

The user just needs to open a browser and go to https://[outside ASA IP]

The login screen is displayed as below example:

On “Group” field enter the name of the tunnel group SSLClientProfile or SSLVPNClient (group alias name).

On “Username” and “Password” field enter the user credentials (e.g UserA, test123)

How to Configure Clock and NTP on Cisco ASA 5500

The Cisco ASA appliance retains clock settings in memory via a battery on the device motherboard. Even if the device is turned off, the clock is retained in memory. Configuring accurate time settings on the appliance is important for logging purposes since syslog messages can contain a time stamp according to the device clock time setting. If you want the syslog messages to include a time-stamp value, you must first configure the clock (using clock set command) and then enable time-stamps using logging timestamp command (more on syslog configuration in later sections). Having a time-stamp value on log messages is important for event tracing and forensic purposes when a security incident occurs.

Another important reason for setting the correct time on the ASA firewall is when you use PKI (Public Key Infrastructure) with digital certificates for authentication of IPSEC VPN peers. The ASA firewall uses the local appliance clock to make sure that a Digital Certificate is not expired. When using PKI digital certificates, set the firewall clock to UTC time zone.

Configure Clock Settings:

To configure the clock settings of the ASA appliance, use the clock set command as shown below:

ciscoasa# clock set hh:mm:ss [day month | month day] year


ciscoasa# clock set 18:30:00 Apr 10 2009

To verify the correct clock on the appliance, use the show clock command.

Configure Time Zone and Daylight Saving Time:

To configure the time zone and the summer daylight saving time use the commands below:

ciscoasa# config t
ciscoasa(config)# clock timezone [zone name] [offset hours from UTC]
ciscoasa(config)# clock summer-time [zone name] recurring [week weekday month hh:mm week weekday month hh:mm] [offset]


ciscoasa(config)# clock timezone MST -7
ciscoasa(config)# clock summer-time MST recurring 1 Sunday April 2:00 last Sunday October 2:00

Configure Network Time Protocol (NTP):

If there is an NTP server in the network that provides accurate clock settings, then you can configure the firewall to synchronize its time with the NTP server. Both an authenticated and non-authenticated NTP is supported:

Non-Authenticated NTP:

ciscoasa(config)# ntp server [ip address of NTP] source [interface name]


ciscoasa(config)# ntp server source inside

Authenticated NTP:

ciscoasa(config)# ntp authenticate
ciscoasa(config)# ntp authentication-key [key ID] md5 [ntp key]
ciscoasa(config)# ntp trusted-key [key ID]
ciscoasa(config)# ntp server [ip address of NTP] key [key ID] source [intf name]


ciscoasa(config)# ntp authenticate
ciscoasa(config)# ntp authentication-key 32 md5 secretkey1234
ciscoasa(config)# ntp trusted-key 32
ciscoasa(config)# ntp server key 32 source inside

The convenience and advantages of secure VPNs has driven the specific technology to keep evolving continuously. Several years ago we only had the standardized IPSec VPN (which still strongly exists today). IPSec is a pure IP network VPN technology for connecting distant LAN networks over unsecured paths. Also, IPSec is used for client VPNs connecting remote teleworkers to their central site network. The characteristic of IPSec VPNs is that it provides FULL network connectivity between the VPN peers. That is, a remote access client IPSec VPN will connect the remote user to the central network just like the user would be locally connected.

After IPsec, the Web SSL VPN made its appearance. The remote user needs just a Web Browser with HTTPs to connect to the central site network. After authentication, the user is presented with a Web portal with links to the applications he is allowed to run. That is, the Web SSL VPN does not provide full network visibility to the remote user. The user has access only to specific applications (like internal email, internal files etc). Both IPSec VPNs and SSL VPNs are supported by Cisco ASA 5500 firewalls.

The newest generation of remote access VPNs is offered from Cisco AnyConnect SSL VPN client. This is supported by Cisco ASA 8.x. The AnyConnect SSL VPN provides the best features from both of the other VPN technologies (IPSec and Web SSL). With AnyConnect, the remote user has full network connectivity to the central site. Also, it offers the convenience of the Web SSL since there is no need to install an IPSec VPN client permanently to the user’s computer. Instead, there is an SSL client stored in the ASA flash memory which is downloaded to the remote user’s computer on demand.

How AnyConnect SSL VPN Client works

For first time user connection, the remote teleworker just opens a browser pointing to https://<ASA-outside-public-IP>. The browser connects to the ASA firewall and presents the user with a login screen. The user enters his credentials (username/password) and the ASA identifies that the user does not have the SSL client installed. Therefore it pushes the SSL client to the user’s computer. The client installs itself to the remote PC and establishes a secure SSL VPN connection between the remote user and the ASA. The user is also assigned an IP address from an address pool configured on the ASA and has full network access to the central site. When the SSL connection is stopped, the SSL client either uninstalls itself or remains on the user’s PC (depending on the configuration of the ASA).

In the case of a previously installed client, when the user authenticates, the security appliance examines the revision of the client, and upgrades the client as necessary.

The AnyConnect SSL client can be downloaded from the security appliance, or it can be installed manually on the remote PC by the system administrator.

In another post I will explain how to configure the AnyConnect SSL VPN on a Cisco ASA 5500 firewall.

Cisco ASA 5505 Basic Configuration Tutorial

The Cisco ASA 5505 Firewall is the smallest model in the new 5500 Cisco series of hardware appliances. Although this model is suitable for small businesses, branch offices or even home use, its firewall security capabilities are the same as the biggest models (5510, 5520, 5540 etc). The Adaptive Security technology of the ASA firewalls offers solid and reliable firewall protection, advanced application aware security, denial of service attack protection and much more. Moreover, the performance of the ASA 5505 appliance supports 150Mbps firewall throughput and 4000 firewall connections per second, which is more than enough for small networks.

In this article I will explain the basic configuration steps needed to setup a Cisco 5505 ASA firewall for connecting a small network to the Internet. We assume that our ISP has assigned us a static public IP address (e.g as an example) and that our internal network range is We will use Port Address Translation (PAT) to translate our internal IP addresses to the public address of the outside interface. The difference of the 5505 model from the bigger ASA models is that it has an 8-port 10/100 switch which acts as Layer 2 only. That is, you can not configure the physical ports as Layer 3 ports, rather you have to create interface Vlans and assign the Layer 2 interfaces in each VLAN. By default, interface Ethernet0/0 is assigned to VLAN 2 and its the outside interface (the one which connects to the Internet), and the other 7 interfaces (Ethernet0/1 to 0/7) are assigned by default to VLAN 1 and are used for connecting to the internal network. Let’s see the basic configuration setup of the most important steps that you need to configure. The diagram below illustrates the network topology for the configuration setup that we will describe. Notice from the diagram that port Ethernet0/0 connects to the Internet, and ports Ethernet0/1 to 7 connect to internal hosts (PC computers etc).

Step1: Configure the internal interface vlan

ASA5505(config)# interface Vlan 1
ASA5505(config-if)# nameif inside
ASA5505(config-if)# security-level 100
ASA5505(config-if)# ip address
ASA5505(config-if)# no shut

Step 2: Configure the external interface vlan (connected to Internet)

ASA5505(config)# interface Vlan 2
ASA5505(config-if)# nameif outside
ASA5505(config-if)# security-level 0
ASA5505(config-if)# ip address
ASA5505(config-if)# no shut

Step 3: Assign Ethernet 0/0 to Vlan 2

ASA5505(config)# interface Ethernet0/0
ASA5505(config-if)# switchport access vlan 2
ASA5505(config-if)# no shut

Step 4: Enable the rest interfaces with no shut

ASA5505(config)# interface Ethernet0/1
ASA5505(config-if)# no shut

Do the same for Ethernet0/1 to 0/7.

Step 5: Configure PAT on the outside interface

ASA5505(config)# global (outside) 1 interface
ASA5505(config)# nat (inside) 1

UPDATE for ASA Version 8.3

From March 2010, Cisco announced the new Cisco ASA software version 8.3. This version introduced several important configuration changes, especially on the NAT/PAT mechanism. The “global” command is no longer supported. NAT (static and dynamic) and PAT are configured under network objects. The PAT configuration below is for ASA 8.3 and later:

object network obj_any
nat (inside,outside) dynamic interface

Step 6: Configure default route towards the ISP (assume default gateway is

ASA5505(config)# route outside 1

The above steps are the absolutely necessary steps you need to configure for making the appliance operational. Of course there are much more configuration details that you need to implement in order to enhance the security and functionality of your appliance, such as Access Control Lists, Static NAT, DHCP, DMZ zones, authentication etc.

Download the best configuration tutorial for any Cisco ASA 5500 Firewall model HERE.

Cisco ASA 5580

Cisco ASA 5580 Features

The 5580 is the Flag-Ship Cisco ASA model. It comes as two versions, the ASA 5580-20 and the ASA 5580-40, which differ in the performance parameters. The ASA 5580 is basically an HP Server Chassis with 6 slots on the back for inserting interface card modules. The 5580 is designed for the largest and most traffic demanding network topologies. It is ideal for high-speed data centers and large campus networks. It supports the largest firewall throughput in the hardware firewall market, with 5 Gbps (5580-20) and 10 Gbps (5580-40) capacity. It is also the only model supporting 10Gbps interfaces. Like the 5550, it does not support an embedded Security Services Module (SSM), so you cannot integrate an IDS/IPS functionality inside the same chassis.
Let’s see the features of the ASA 5580 in more detail below: Read the rest of this entry

Cisco ASA 5550

Cisco ASA 5550 Features

Now let us see the next ASA model in the series which is the Cisco ASA 5550. With over one gigabit firewall performance (1.2 Gbps) this appliance can be easily used on ISP public services segments or on medium data rate campuses and data centers. From this model and up, there is no support for Security Services Module (SSM), so basically you can not include an IDS/IPS or Content Inspection functionality integrated inside the box. However, with this model you get the advantage of having eight gigabit integrated copper ports (8-10/100/100) PLUS four optical gigabit ports (4 SFPs), which means you will not run out of network port capacity easily.

Let’s see the features of the ASA 5550 in more detail below: Read the rest of this entry

Cisco ASA 5540

Cisco ASA 5540 Features

Next in the line is the Cisco ASA 5540 Firewall appliance. This device is geared towards large enterprises which need firewall throughput of 650Mbps. The ASA 5540 is the highest model that supports a Security Services Module (SSM) in order to offer Content Inspection or Intrusion Prevention IPS services to the network. The SSM module can host also a four-port Gigabit Ethernet card, in addition to the Content Inspection or IPS modules. The higher-end models 5550 and 5580 DO NOT support the SSM module. Note also the greatly enhanced number of supported VPN sessions (5000 or 2500 for SSL VPN) compared with smaller models. This enhancement makes the 5540 ideal for replacing the older VPN 3000 Concentrator device.

Let’s see the features of the ASA 5540 in more detail below: Read the rest of this entry

Cisco ASA 5520

Cisco ASA 5520 Features

Continuing our series of posts about the hardware and software features of ASA firewalls, this article focuses on the Cisco ASA 5520 model. This model is suitable as Internet Edge device for medium size enterprises but can be used also for internal LAN segmentation. From this model and up there are no Base License or Security Plus License options, like the 5505 and 5510 models. Also, the four integrated Network Interfaces by default support gigabit 10/100/1000 speed. There is an additional Management Interface which supports Fast Ethernet speed (10/100 Mbps). This Interface can be used as normal firewall interface by issuing the “no management-only” interface configuration command. So there are essentially five network interfaces integrated on the appliance.

In more detail, the Cisco ASA 5520 firewall features are the following: Read the rest of this entry

 Page 5 of 10  « First  ... « 3  4  5  6  7 » ...  Last »