Cisco ASA Firewall Archives

Cisco ASA 5510

Cisco ASA 5510 Features

Continuing our series of posts about the hardware and software features of ASA firewalls, this article focuses on the Cisco ASA 5510 model which is a very popular appliance for small to medium enterprises. Unlike the ASA 5505, this is a rack-mountable model (1U size) which supports also an add-on module (SSM – Security Services Module). Similarly with the 5505, the ASA 5510 comes also with two types of software licenses: Base License and Security Plus License, with the later offering advanced hardware and performance features.

In more detail, the Cisco ASA 5510 firewall features are the following: Read the rest of this entry

Cisco ASA 5505

Cisco ASA 5505 Features

In this post I’ll describe the software and hardware features of the Cisco ASA 5505 model. The ASA 5505 is the smallest model in the 5500 series and is suitable for small businesses or small branch offices and teleworkers. As it is a smaller size compared with the other models, it is not rack-mountable. It is the only model also that comes with an 8-port switch (with 2 power over Ethernet ports). The Cisco ASA 5505 ports are Layer 2 ports and not normal Layer 3 ports like the other models. To configure its Layer 2 ports you need to create VLANs and assign each port to a certain VLAN number. All interface parameters are configured under the “Interface VLAN [number]” command.

The Cisco ASA 5505 features depend on which software license is installed. There are two license options available: Base License and Security Plus License. The Security Plus license enables the Cisco ASA 5505 Appliance to support higher connection capacity and a higher number of IPsec VPN users, add full DMZ support, and integrate into switched network environments through VLAN trunking support. Moreover, the upgrade security plus license enables redundant ISP connections and stateless Active/Standby high-availability services.

In more detail, the Cisco ASA 5505 features are the following: Read the rest of this entry

Cisco Router with Cisco ASA for Internet Access

A classic network scenario for many enterprises is to have a Cisco border router for internet access and a Cisco ASA firewall behind this router for protection of the internal LAN or for building a DMZ network. This scenario is shown in the figure below:

Assume that our enterprise is assigned a public IP address range of (that is a 32 address subnet). The usable addresses in this subnet range between and In our example we assign to the outside interface of the Cisco router and is the ISP gateway router. Also, we need to use address for accessing a DMZ web server which has a real private address of

Between the Cisco Router and the outside interface of the Cisco ASA we have a private subnet Also, the inside internal LAN subnet is The inside IP address of the ASA is

Traffic Flow:

We need to achieve the following traffic flow:

1) All Internal LAN hosts ( should be able to access the Internet (outbound communication). No access initiated from the Internet should be allowed towards the Internal LAN network.

2) Also, we need to allow access from the Internet towards our DMZ Web Server (inbound communication).


There are a few ways you can follow to achieve the functionality above. For sure we need to perform NAT on the border Cisco Router to translate our internal private addresses to public addresses assigned by our ISP. We have the option also to perform additional NAT on the ASA firewall, which however I wouldn’t recommend.

The way I would configure such a scenario is the following:

  • 1) For outbound communication (Internal LAN towards the Internet), do not translate the network on the Cisco ASA. Rather create a static mapping of to itself (will see this below) and configure NAT overload on the Cisco Router for the network
  • 2) For inbound communication (Internet towards Web Server), create again a static mapping on the ASA for address to itself, and perform static NAT on the Cisco Router to map to


Below I will show you snapshots of the configuration for both the Cisco Router and the Cisco ASA that will achieve the functionality above.

Cisco ASA:

ciscoasa(config)# interface GigabitEthernet0/0
ciscoasa(config-if)# nameif outside
ciscoasa(config-if)# ip address
ciscoasa(config-if)# security-level 0
ciscoasa(config-if)# no shutdown

ciscoasa(config)# interface GigabitEthernet0/1
ciscoasa(config-if)# nameif inside
ciscoasa(config-if)# ip address
ciscoasa(config-if)# security-level 100
ciscoasa(config-if)# no shutdown

ciscoasa(config)# interface GigabitEthernet0/3
ciscoasa(config-if)# nameif DMZ
ciscoasa(config-if)# ip address
ciscoasa(config-if)# security-level 50
ciscoasa(config-if)# no shutdown

! Now create a static NAT mapping of to itself
ciscoasa(config)# static (inside , outside) netmask

! Create also a static NAT mapping of Web Server to itself
ciscoasa(config)# static (DMZ , outside) netmask

EDIT: NAT Commands For Cisco ASA version 8.3 and later:

object network web_server_static
 nat (DMZ,outside) static

object network inside_mapped

object network internal-lan
 nat (inside,outside) static inside_mapped


! Create an access-list to allow Inbound traffic to Web server only
ciscoasa(config)# access-list OUTSIDE-IN extended permit tcp any host eq 80
ciscoasa(config)# access-group OUTSIDE-IN in interface outside

ciscoasa(config)# route outside

Cisco Router:

interface ethernet 0
ip address
ip nat outside

interface ethernet 1
ip address
ip nat inside

!Assume the router uses address for all outbound communication
ip nat pool IP-POOL netmask
ip nat inside source list 1 pool IP-POOL overload
access-list 1 permit

!Configure Static NAT to map to
ip nat inside source static

ip route
ip route
ip route

Access Control Lists (ACLs) and Network Address Translation (NAT) are two of the most common features that coexist in the configuration of a Cisco ASA appliance. For both inbound and outbound access control lists, the IP addresses specified in the ACL depend on the interface where the ACL is applied. These IP addresses must be valid on the specific interface that the ACL is attached, regardless of NAT. Keep the following statement in mind: An Access Control List takes precedence over NAT. That is, an ACL is evaluated FIRST and then a NAT rule is applied to the packet.

For example, assume an inside host with private address is translated to a public address for outbound traffic (inside to outside). An ACL applied to the inside interface of the ASA firewall will first be evaluated to verify if the host can access the Internet (outbound communication) and if the ACL permits this communication, only then NAT will be performed to translate to This is shown in the figure below.

cisco asa nat and acl access list

See the following commands for the example above:

!The following ACL is evaluated first

ciscoasa(config)# access-list INSIDE extended permit ip host host

ciscoasa(config)# access-group INSIDE in interface inside

!NAT can be applied only if ACL allows the communication

ciscoasa(config)# global (outside) 1 netmask

ciscoasa(config)# nat (inside) 1


Similarly, a scenario with inbound traffic (outside to inside) works again the same way. That is, an ACL is evaluated first for inbound traffic and then a NAT translation rule is applied. For example, assume we have a Web Server located on the inside network (should be on a DMZ for better security but for the sake of simplicity we assume it is located on the inside network). The private address configured on the Web Server is We configured also static NAT on the Firewall to map the private address of the Web Server to a public address on the outside (see figure below). Inbound traffic coming from the Internet towards the public address of the Web Server will first go through an ACL to verify if the traffic is permitted or not. If traffic is allowed by the ACL, then the static NAT will be applied to translate the destination address from to

See the following commands for the example above:

!The following ACL is evaluated first

ciscoasa(config)# access-list OUTSIDE extended permit tcp any host eq 80

ciscoasa(config)# access-group OUTSIDE in interface outside

! Static NAT can be applied only if ACL allows the communication

ciscoasa(config)# static (inside,outside) netmask


For Cisco ASA version 8.3 and later, the order of operation regarding ACL and NAT is still the same (i.e ACLs are evaluated first and then static NAT takes place), HOWEVER the ACL now must reference the real private IP of the server and NOT the public IP.

In our example above, for ASA 8.3 the ACL would look like below:

ciscoasa(config)# access-list OUTSIDE extended permit tcp any host eq 80

Maybe the most popular and frequently used command on Cisco ASA firewalls is the one which shows the current running configuration, that is the “show run” command. However, maybe the most powerful command on Cisco ASA is the “show version” command. An example output of a show version command is shown below:

CISCO-ASA#  show version

Cisco Adaptive Security Appliance Software Version 7.2(3)
Device Manager Version 5.2(3)
Compiled on Wed 15-Aug-07 16:08 by builders
System image file is “disk0:/asa723-k8.bin”
Config file at boot was “startup-config”

CISCO-ASA up 25 mins 32 secs

Hardware:   ASA5505, 256 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
Boot microcode   : CNlite-MC-Boot-Cisco-1.2
SSL/IKE microcode: CNlite-MC-IPSEC-Admin-3.03
IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.04

0: Int: Internal-Data0/0    : address is 001e.4afa.2404, irq 11
1: Ext: Ethernet0/0         : address is 001e.4afa.23fc, irq 255
2: Ext: Ethernet0/1         : address is 001e.4afa.23fd, irq 255
3: Ext: Ethernet0/2         : address is 001e.4afa.23fe, irq 255
4: Ext: Ethernet0/3         : address is 001e.4afa.23ff, irq 255
5: Ext: Ethernet0/4         : address is 001e.4afa.2400, irq 255
6: Ext: Ethernet0/5         : address is 001e.4afa.2401, irq 255
7: Ext: Ethernet0/6         : address is 001e.4afa.2402, irq 255
8: Ext: Ethernet0/7         : address is 001e.4afa.2403, irq 255
9: Int: Internal-Data0/1    : address is 0000.0003.0002, irq 255
10: Int: Not used            : irq 255
11: Int: Not used            : irq 255

Licensed features for this platform:

Maximum Physical Interfaces : 8
VLANs                       : 3, DMZ Restricted
Inside Hosts                : 10
Failover                    : Disabled
VPN-DES                     : Enabled
VPN-3DES-AES                : Enabled
VPN Peers                   : 10
WebVPN Peers                : 2
Dual ISPs                   : Disabled
VLAN Trunk Ports            : 0

This platform has a Base license.

Serial Number: 1234567890
Running Activation Key: 123456781234567812345678

Configuration register is 0x1
Configuration last modified by enable_15 at 05:35:16.773 UTC Wed Apr 2 2008

Usefulness of show version command:

The power of the show version command comes from the wealth of useful information you can obtain from the output of this command. Use the show version command to display the following information:

  • Appliance software version (in our example above it is 7.2(3)
  • Software version of ASDM GUI software (in our example above it is 5.2(3)
  • Where the appliance software image file is located (disk0:/asa723-k8.bin)
  • Appliance up-time since last reboot (25 mins 32 secs)
  • Appliance model, RAM memory and CPU type (ASA5505, 256 MB RAM, CPU Geode 500 MHz)
  • Flash Memory (Internal ATA Compact Flash, 128MB)
  • MAC Addresses of Ethernet Network Interfaces.
  • Licensed features
  • Serial Number (this can be used to order software upgrades)
  • Running activation key
  • Last time the configuration was modified.

Traffic Rate Limiting on Cisco ASA

With the new modular policy framework (MPF) introduced in ASA versions 7.x and 8.x, the firewall administrator is now able to apply policing and rate limiting to traffic passing through the ASA appliance. I got a few questions from people how this functionality works and decided to throw in a quick example below which you can easily modify accordingly to match your needs.


We want to rate limit a local internal host when accessing a specific external public server. The local host is and the external public server is We need to limit the traffic to 100kbps and burst size 8000.

Configuration Snippet:

ASA(config)#access-list rate-limit-acl extended permit ip host host

ASA(config)#class-map rate-limit
ASA(config-cmap)#match access-list rate-limit-acl

ASA(config)#policy-map limit-policy
ASA(config-pmap)#class rate-limit
ASA(config-pmap-c)#police output 100000 8000

ASA(config)#service-policy limit-policy interface outside

In order to be able to monitor and troubleshoot your Cisco ASA firewall, you need to understand the difference between connections and translations.

Refer to the diagram above for an explanation about Connections and Translations.

A Connection works at the Transport Layer and includes the Source IP/Source Port and the Destination IP/Destination Port. Connections are subsets of Translations. You can have many connections open that are all using the same Translation. For example, a connection shown above is originated from Internal source host with source port 1030 towards a Destination host (public Web Server) on Destination Port 80.

A Translation works at the IP Layer and includes the Real IP Address and the Mapped (Translated) IP Address. Using NAT or PAT, a Real IP address is translated to a Mapped IP address and vice-versa. From the diagram above, the Real IP address is translated to a Mapped IP address

Connection Related Commands

ASA# show conn
ASA# show conn details
ASA# show local-host

The above commands will display the current active connections and information details about each connection. An example output is the following:

TCP outside: inside: idle 0:00:05 bytes 1965 flags UIO

Translation Related Commands

ASA# show xlate
ASA# show xlate detail
ASA# clear xlate

The commands above enable you to display or clear the contents of the translation table. An example output is the following:

NAT from inside: to outside: flags i

A single Cisco ASA appliance can be partitioned into multiple virtual firewalls known also as “Security Contexts”. Each security context acts as a separate firewall with its own security policy, interfaces and configuration. However, some features are not available for virtual firewalls, such as IPSEC and SSL VPN, Dynamic Routing Protocols, Multicast and Threat Detection.

All firewall models (except ASA 5505) support multiple security contexts. By default, all models support 2 security contexts without a license upgrade (except the ASA 5510 which requires the security plus license).


Each security context that you create on the appliance includes its own configuration file (filename.cfg) stored on local flash memory. This configuration file contains the security policy, the included interfaces and the virtual firewall configuration of the specific security context. By default, an admin context is always created having a configuration file “admin.cfg“. This is just like any other security context except that when a user logs in the admin context then he has full administrator access to all other security contexts.

When you convert the appliance from single context mode to multiple context mode (using the command “mode multiple“) the firewall converts the current running configuration into two files: a new startup configuration that comprises the system configuration, and “admin.cfg” that comprises the admin context (stored in the root directory of the internal Flash memory). The original running configuration is saved as “old_running.cfg” (in the root directory of the internal Flash memory).

Configuring Security Contexts

! Enable multiple context mode
ASA(config)# mode multiple

! Then reboot the appliance.

! Configure the administrator context
ASA(config)# admin-context administrator
ASA(config)# context administrator
ASA(config-ctx)# allocate-interface gigabitethernet0/1.10
ASA(config-ctx)# allocate-interface gigabitethernet0/1.11
ASA(config-ctx)# config-url flash:/admin.cfg

! Configure other contexts as required
ASA(config)# context customerA
ASA(config-ctx)# allocate-interface gigabitethernet0/2.100
ASA(config-ctx)# allocate-interface gigabitethernet0/2.200
ASA(config-ctx)# config-url flash:/customerA.cfg

! Configure other contexts as required
ASA(config)# context customerB
ASA(config-ctx)# allocate-interface gigabitethernet0/2.111
ASA(config-ctx)# allocate-interface gigabitethernet0/2.222
ASA(config-ctx)# config-url flash:/customerB.cfg

Changing between contexts and the system execution space:

When you connect with a console cable on the appliance, you will log in the system configuration (or the system execution space). The “system execution space” is the global appliance space from where you can then enter into specific security contexts. If you are logged in the “system execution space” and issue a “show run” command, this will ONLY show you the global system configuration and NOT the various security contexts configurations. You will need to log into a specific security context in order to change or see its configuration.

To change between the system execution space and a context, or between contexts, see the following commands:

! To change to a context named CustomerA, enter the following command:
ASA# changeto context CustomerA

! The prompt changes to the following:

! To change back to the system execution space, enter the following command:
ASA/CustomerA# changeto system

! The prompt changes to the following:

 Page 6 of 10  « First  ... « 4  5  6  7  8 » ...  Last »