Cisco ASA 5505 Basic Configuration Tutorial

Tuesday, June 2nd, 2009 at 2:00 pm  
Comments (105)

The Cisco ASA 5505 Firewall is the smallest model in the new 5500 Cisco series of hardware appliances. Although this model is suitable for small businesses, branch offices or even home use, its firewall security capabilities are the same as the biggest models (5510, 5520, 5540 etc). The Adaptive Security technology of the ASA firewalls offers solid and reliable firewall protection, advanced application aware security, denial of service attack protection and much more. Moreover, the performance of the ASA 5505 appliance supports 150Mbps firewall throughput and 4000 firewall connections per second, which is more than enough for small networks.

In this article I will explain the basic configuration steps needed to setup a Cisco 5505 ASA firewall for connecting a small network to the Internet. We assume that our ISP has assigned us a static public IP address (e.g 200.200.200.1 as an example) and that our internal network range is 192.168.1.0/24. We will use Port Address Translation (PAT) to translate our internal IP addresses to the public address of the outside interface. The difference of the 5505 model from the bigger ASA models is that it has an 8-port 10/100 switch which acts as Layer 2 only. That is, you can not configure the physical ports as Layer 3 ports, rather you have to create interface Vlans and assign the Layer 2 interfaces in each VLAN. By default, interface Ethernet0/0 is assigned to VLAN 2 and its the outside interface (the one which connects to the Internet), and the other 7 interfaces (Ethernet0/1 to 0/7) are assigned by default to VLAN 1 and are used for connecting to the internal network. Let’s see the basic configuration setup of the most important steps that you need to configure. The diagram below illustrates the network topology for the configuration setup that we will describe. Notice from the diagram that port Ethernet0/0 connects to the Internet, and ports Ethernet0/1 to 7 connect to internal hosts (PC computers etc).

Step1: Configure the internal interface vlan

ASA5505(config)# interface Vlan 1
ASA5505(config-if)# nameif inside
ASA5505(config-if)# security-level 100
ASA5505(config-if)# ip address 192.168.1.1 255.255.255.0
ASA5505(config-if)# no shut

Step 2: Configure the external interface vlan (connected to Internet)

ASA5505(config)# interface Vlan 2
ASA5505(config-if)# nameif outside
ASA5505(config-if)# security-level 0
ASA5505(config-if)# ip address 200.200.200.1 255.255.255.0
ASA5505(config-if)# no shut

Step 3: Assign Ethernet 0/0 to Vlan 2

ASA5505(config)# interface Ethernet0/0
ASA5505(config-if)# switchport access vlan 2
ASA5505(config-if)# no shut

Step 4: Enable the rest interfaces with no shut

ASA5505(config)# interface Ethernet0/1
ASA5505(config-if)# no shut

Do the same for Ethernet0/1 to 0/7.

Step 5: Configure PAT on the outside interface

ASA5505(config)# global (outside) 1 interface
ASA5505(config)# nat (inside) 1 0.0.0.0 0.0.0.0

UPDATE for ASA Version 8.3

From March 2010, Cisco announced the new Cisco ASA software version 8.3. This version introduced several important configuration changes, especially on the NAT/PAT mechanism. The “global” command is no longer supported. NAT (static and dynamic) and PAT are configured under network objects. The PAT configuration below is for ASA 8.3 and later:

object network obj_any
subnet 0.0.0.0 0.0.0.0
nat (inside,outside) dynamic interface

Step 6: Configure default route towards the ISP (assume default gateway is 200.200.200.2)

ASA5505(config)# route outside 0.0.0.0 0.0.0.0 200.200.200.2 1

The above steps are the absolutely necessary steps you need to configure for making the appliance operational. Of course there are much more configuration details that you need to implement in order to enhance the security and functionality of your appliance, such as Access Control Lists, Static NAT, DHCP, DMZ zones, authentication etc.

Download the best configuration tutorial for any Cisco ASA 5500 Firewall model HERE.

Cisco ASA 5580

Sunday, May 24th, 2009 at 11:58 am  
Leave your comment

Cisco ASA 5580 Features

The 5580 is the Flag-Ship Cisco ASA model. It comes as two versions, the ASA 5580-20 and the ASA 5580-40, which differ in the performance parameters. The ASA 5580 is basically an HP Server Chassis with 6 slots on the back for inserting interface card modules. The 5580 is designed for the largest and most traffic demanding network topologies. It is ideal for high-speed data centers and large campus networks. It supports the largest firewall throughput in the hardware firewall market, with 5 Gbps (5580-20) and 10 Gbps (5580-40) capacity. It is also the only model supporting 10Gbps interfaces. Like the 5550, it does not support an embedded Security Services Module (SSM), so you cannot integrate an IDS/IPS functionality inside the same chassis.
Let’s see the features of the ASA 5580 in more detail below: Read the rest of this entry

Cisco ASA 5550

Saturday, May 16th, 2009 at 12:25 pm  
Leave your comment

Cisco ASA 5550 Features

Now let us see the next ASA model in the series which is the Cisco ASA 5550. With over one gigabit firewall performance (1.2 Gbps) this appliance can be easily used on ISP public services segments or on medium data rate campuses and data centers. From this model and up, there is no support for Security Services Module (SSM), so basically you can not include an IDS/IPS or Content Inspection functionality integrated inside the box. However, with this model you get the advantage of having eight gigabit integrated copper ports (8-10/100/100) PLUS four optical gigabit ports (4 SFPs), which means you will not run out of network port capacity easily.

Let’s see the features of the ASA 5550 in more detail below: Read the rest of this entry

Cisco ASA 5540

Tuesday, May 5th, 2009 at 4:31 am  
Leave your comment

Cisco ASA 5540 Features

Next in the line is the Cisco ASA 5540 Firewall appliance. This device is geared towards large enterprises which need firewall throughput of 650Mbps. The ASA 5540 is the highest model that supports a Security Services Module (SSM) in order to offer Content Inspection or Intrusion Prevention IPS services to the network. The SSM module can host also a four-port Gigabit Ethernet card, in addition to the Content Inspection or IPS modules. The higher-end models 5550 and 5580 DO NOT support the SSM module. Note also the greatly enhanced number of supported VPN sessions (5000 or 2500 for SSL VPN) compared with smaller models. This enhancement makes the 5540 ideal for replacing the older VPN 3000 Concentrator device.

Let’s see the features of the ASA 5540 in more detail below: Read the rest of this entry

Cisco ASA 5520

Thursday, April 30th, 2009 at 3:46 am  
Leave your comment

Cisco ASA 5520 Features

Continuing our series of posts about the hardware and software features of ASA firewalls, this article focuses on the Cisco ASA 5520 model. This model is suitable as Internet Edge device for medium size enterprises but can be used also for internal LAN segmentation. From this model and up there are no Base License or Security Plus License options, like the 5505 and 5510 models. Also, the four integrated Network Interfaces by default support gigabit 10/100/1000 speed. There is an additional Management Interface which supports Fast Ethernet speed (10/100 Mbps). This Interface can be used as normal firewall interface by issuing the “no management-only” interface configuration command. So there are essentially five network interfaces integrated on the appliance.

In more detail, the Cisco ASA 5520 firewall features are the following: Read the rest of this entry

 Page 39 of 47  « First  ... « 37  38  39  40  41 » ...  Last »