Basic configuration of Cisco ASA
Let’s look over an example of how to connect an office LAN to the Internet with using a Cisco ASA firewall. For this example, we will use the junior model of the lineup – Cisco ASA 5505. Its main distinction from the higher-end models is the 8-port integrated switch, that allows to have 8 switch ports on board(Layer 2 of OSI model) . These ports cannot have an IP address assigned to them, but if you want to create Layer 3 interfaces, you can configure a virtual interface (VLAN) and assign IP addresses there. Assigning a port to a VLAN will allow you to use an IP address for that port, just like assigning one to an interface of a router.
In this example we will use:
- An Internet uplink with static IP address
- Several hosts inside the office’s Local Area Network (LAN)
- Cisco ASA 5505 firewall
- Layer 2 switch (used only to connect the LAN hosts, without any additional configuration)
Our task: allow the internal LAN hosts to access the Internet through the firewall.
Step 0. Clear configuration
(Should be done only on new or test lab equipment, since it completely erases all existing configuration)
If your new device with factory settings is asking for a password to enter the privileged mode (#) enable, just hit “Enter”.
ciscoasa> enable
Password: /press Enter/
ciscoasa#
Lets completely erase the startup configuration of the device. To do this, connect using a console cable to the console port of the device, enter the CLI and type:
ciscoasa(config)# clear configure all
After this confirm the deletion of all configuration files.
Unlike with Cisco routers, you don’t have to reload the device in order to erase its configuration. The command “clear configure all” executed on the firewall leaves only the service lines from factory configuration and you can immediately begin to configure your device afresh.
Step 1. Hostname
In order to give your device a hostname and make it easier and more convenient to administer later, use the command “hostname ”
ciscoasa# hostname FW-DELTACONFIG
FW-DELTACONFIG#
Step 2. Interface configuration
At the very minimum, you need to configure two interfaces on your firewall: the outside and the inside.
The outside interface will communicate with the Internet. Configure it with the IP address and subnet mask provided by your ISP:
FW-DELTACONFIG (config)#
interface Vlan1
nameif outside
security-level 0
ip address 200.150.100.2 255.255.255.252
no shut
The internal interface, inside, should be configured for the LAN:
FW-DELTACONFIG (config)#
interface Vlan2
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
no shut
At this point you have to attach your virtual VLAN interfaces to real Ethernet ports.
Here is how you tie together the outside interface and port Ethernet0/0:
FW-DELTACONFIG (config)#
interface Ethernet0/0
switchport access vlan 1
description --- WAN ---
no shut
Important!
Notice that the line with “switchport access vlan 1” command will not be displayed in the running configuration output (the one shown with the “show run” command). The reason for this is that VLAN 1 is configured for each physical interface by default. When you configure any other VLAN tag, except the default one, you will see the line in the running configuration.
Configure your internal inside interface to use physical port Ethernet 0/1:
FW-DELTACONFIG (config)#
interface Ethernet0/1
switchport access vlan 2
description --- LAN ---
no shut
Step 3. Configure Remote Access
In order to configure remote access for administration of your device through SSH protocol, you need to do the following:
Create a password for privileged mode (#). Enter your desired password instead of “XXXXX”:
FW-DELTACONFIG(config)#
enable password XXXXX
Create an administrator account. Enter your desired password instead of “YYYYY” for the user admin:
FW-DELTACONFIG(config)#
username admin password YYYYY privilege 15
Specify the authentication method and generate the RSA keys:
FW-DELTACONFIG(config)#
aaa authentication ssh console LOCAL
crypto key generate rsa modulus 1024
/confirm by pressing y
Specify the IP address of the administrator workstation, from which to allow remote access via SSH and the interface for accepting remote access requests (inside). You can specify multiple IP addresses or entire networks to be designated as management.
FW-DELTACONFIG(config)#
ssh 192.168.10.100 255.255.255.255 inside
After performing these steps you should be able to access the firewall through the SSH protocol from the workstation with IP 192.168.10.100.
Step 4. Configure the default gateway
In order to route packets to the Internet, your firewall needs to have the default gateway (the closest IP address on the ISP side) and the interface, through which it can be accessed (outside) configured.
FW-DELTACONFIG(config)#
route outside 0.0.0.0 0.0.0.0 200.150.100.1
After configuring the default route, you can check both the availability of your ISP and your access to the Internet. You can do this by pinging any address available in the Internet. For this example, we’ll take the IP address of the most-pinged resource – google DNS (8.8.8.8)
FW-DELTACONFIG#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/8/15 ms
Important!
Please note that, at this stage, you can only send ICMP requests from the CLI of your Cisco ASA device. The workstations in your LAN will not have access to the Internet until after performing the next steps.
Step 5. Configure Network Address Translation (NAT)
NAT configuration commands differ depending on the device’s firmware version. Check what version you have by entering the “sh ver” command:
FW-DELTACONFIG# sh ver
Cisco Adaptive Security Appliance Software Version 8.2(1)11
Step 5.1 NAT for access to the Internet (from inside to outside, PAT)
In order for the LAN hosts to have access to the Internet, their private (grey) IP addresses need to be translated into a public (white) IP address.
Configuration commands for version 8.2.x and older
FW-DELTACONFIG(config)#
global (outside) 1 interface
nat (inside) 1 192.168.10.0 255.255.255.0
Configuration commands for version 8.3.x and newer
FW-DELTACONFIG(config)#
object network OBJ_NAT_LAN
subnet 192.168.10.0 255.255.255.0
nat (inside,outside) dynamic interface
Result:
After configuring PAT in this way, your LAN workstation IP addresses will be dynamically translated into the IP address of the outside interface.
Important!
You can also translate traffic into a specific IP address, not assigned to one of your interfaces (this works when your ISP allocated you a subnet larger than /30).
- One option is translating into the outside interface IP address, like in the example above
- Second option is translating into an IP address on the same subnet as the outside interface, but not the address of the interface itself
In all other cases the NAT translation will not work correctly, if it manages to work at all.
Step 5.2 NAT for access from the Internet to a resource in the internal network (static NAT)
If you need to organize access from the Internet to an address in your LAN, for example for a web server, then you have to configure static NAT translation.
Configuration commands for version 8.2.x and older
FW-DELTACONFIG(config)#
static (inside,outside) interface 192.168.10.200 netmask 255.255.255.255
Important!
Pay attention to the order of the interfaces and addresses. Inside the parenthesis you have internal interface first, then the external. After that you list the external address first, then the internal. Vice versa!
Configuration commands for version 8.3.x and newer
FW-DELTACONFIG(config)#
host object network OBJ_NAT_SERVER
host 192.168.10.200
nat (inside,outside) static interface
Result:
This configuration will force all traffic sent to the outside IP address of the firewall to be redirected to the internal LAN address 192.168.10.200.
OR
Configuration commands for version 8.2.x and older
FW-DELTACONFIG(config)#
static (inside,outside) tcp interface www 192.168.10.200 www netmask 255.255.255.255
Configuration commands for version 8.3.x and newer
host object network OBJ_NAT_SERVER
host host 192.168.10.200
nat (inside,outside) static interface service tcp www www
Result:
In this case only the traffic sent to the outside interface of your firewall for port TCP 80 (HTTP protocol) will be redirected to the internal LAN address 192.168.10.200.
Important!
Instead of using the keyword “interface”, you can specify an actual IP address that is different from the IP address that is configured for the “outside” interface, but in this example this is not possible: the ISP has assigned us a subnet of only 4 addresses – 200.150.100.0 /30 – out of which we can use only two. 200.150.100.1 is configured on the ISP side as our default gateway, 200.150.100.2 is assigned to our outside interface. Therefore, this subnet does not allow for any other IP addresses.
Yet if we were provided a slightly larger address space, for example 200.150.100.0 with a subnet mask of /29, then we could have used 6 out of 8 IPs in the subnet, 200.150.100.1 – 200.150.100.6. Two addresses would be still taken up by the gateway and the interface, but 4 more are available for use. In this case, we could configure the NAT translation for the server on a different address in this subnet, for example 200.150.100.3..
Configuration commands for version 8.2.x and older
FW-DELTACONFIG(config)#
static (inside,outside) tcp 200.150.100.3 www 192.168.10.200 www netmask 255.255.255.255
Configuration commands for version 8.3.x and newer
host object network OBJ_NAT_SERVER
host 192.168.10.200
nat (inside,outside) static 200.150.100.3 service tcp www www
Important!
Please note that simply creating NAT rules does not provide access to the resources being configured. In order to have access to those resources, you need to also configure access lists and attach them to the relevant interfaces. By default, the firewall does not allow any traffic to pass between its interfaces, unless specifically allowed to do so by an access list – this is called implicit deny.
Read more about static NAT or Port forwarding in the article “Cisco ASA port forwarding explained”
Step 6. Configure access lists
So that this article does not get cluttered with a lot of theory on how access lists work, I will provide an example of configuration that is sufficient for most small offices. If there is a need to allow access to any other resources, you will have to add access list rules in a similar fashion.
Important!
It is possible to write all access list rules using only the numerical IP addresses, but for the ease of future administration it is considered best practice to first create named objects that describe the group of IP addresses that they contain. After that, all rules in access lists reference these named objects. This is the more practical and convenient way of configuration. Let’s start with an access list that allows access from the local LAN to the Internet. Here are the rules that we need to configure:
– Each user or device on the local LAN needs to have access to the Internet in order to browse the web sites
– Workstations that belong to the company’s director and IT administrator need to have unlimited Internet access
– Workstation of a certain manager needs to have special access to a certain resource using the port TCP 9443
First, we configure object groups:
NET_LAN – all local LAN users
USER_CEO – director’s workstation
USER_ADMIN – IT administrator’s workstation
USER_PRIVELEDGED – IP address of the manager that needs to have privileged access to resources
HOST_X – specific resource on the Internet that needs to be accessible by the manager’s workstation
USERS_FULL_ACCESS – named group, for which we will grant unlimited access to the Internet
SERVICE_HTTP_HTTPS – group that lists the standard ports for web browsing
HOST_DNS – external DNS server address
SERVICE_DNS – group that lists the DNS service ports
FW-DELTACONFIG(config)#
object-group network NET_LAN
network-object 192.168.10.0 255.255.255.0
object-group network USER_CEO
network-object host 192.168.10.10
object-group network USER_ADMIN
network-object host 192.168.10.100
object-group network USERS_FULL_ACCESS
group-object USERS_CEO
group-object USERS_ADMIN
object-group network USER_PRIVELEDGED
network-object host 192.168.10.50
network-object host 192.168.10.51
object-group network HOST_X
network-object host 1.1.1.1
object-group network HOST_DNS
network-object host 8.8.8.8
object-group service SERVICE_HTTP_HTTPS
service-object tcp eq http
service-object tcp eq https
object-group service SERVICE_DNS
service-object tcp eq 53
service-object udp eq 53
Create an access list named ACL_INSIDE_IN that will describe all the rules:
Unlimited access for the group USERS_FULL_ACCESS to the Internet:
FW-DELTACONFIG(config)#
access-list ACL_INSIDE_IN extended permit ip object-group USERS_FULL_ACCESS any
Special access for users in USER_PRIVELEDGED group to the resource listed in group HOST_X using the port TCP 9443:
FW-DELTACONFIG(config)#
access-list ACL_INSIDE_IN extended permit tcp object-group USER_PRIVELEDGED object-group HOST_X eq 9443
Access to the Internet using ports TCP 80 (HTTP) and TCP 443 (HTTPS) for all LAN hosts:
FW-DELTACONFIG(config)#
access-list ACL_INSIDE_IN extended permit object-group SERVICE_HTTP_HTTPS object-group NET_LAN any
Access to Google’s DNS server for all hosts on the local LAN:
FW-DELTACONFIG(config)#
access-list ACL_INSIDE_IN extended permit object-group SERVICE_DNS object-group NET_LAN object-group HOST_DNS
ICMP access from any host on the local LAN to any outside resource, allowing to send ping commands:
FW-DELTACONFIG(config)#
access-list ACL_INSIDE_IN extended permit icmp object-group NET_LAN any
Explicit ban for all other connections. Using the keyword “log” at the end will allow us to view all attempts that were blocked by this access list in our system log.
FW-DELTACONFIG(config)#
access-list ACL_INSIDE_IN extended deny ip any any log
The order of rules in an access list is extremely important! First, the firewall processes the topmost rule, then the one that is below it, and continues so until it gets a match on the addresses and ports in the packet or until it hits the end of the access list. If you put your deny rule in the middle, everything else below it will get ignored and the required access will not be granted.
After you have listed all the desired access rules, you need to assign the access list ACL_INSIDE_IN to the “inside” interface. Until you do so, the access list does not affect the traffic going through the firewall in any way. In order to assign it to an interface, use the following command:
FW-DELTACONFIG(config)#
access-group ACL_INSIDE_IN in interface inside
On top of that, lets allow to automatically accept ICMP replies:
FW-DELTACONFIG(config)#
policy-map global_policy
class inspection_default
inspect icmp
The access list controlling the outside interface will be smaller, since we only need to allow access to the web server inside our office. This rule will supplement the NAT rules, specifically the one that translates the internal private IP address of the web server into the public IP address assigned to the firewall’s “outside” interface.
Configure the access list names ACL_OUTSIDE_IN and assign it to the external “outside” interface in a similar way that we did for the internal interface above:
FW-DELTACONFIG(config)#
access-list ACL_OUTSIDE_IN extended permit tcp any interface outside eq 80
access-list ACL_OUTSIDE_IN extended deny ip any any log
access-group ACL_OUTSIDE_IN in interface outside
Don’t forget about static NAT:
Configuration commands for version 8.2.x and older
FW-DELTACONFIG(config)#
static (inside,outside) interface 192.168.10.200 netmask 255.255.255.255
Configuration commands for version 8.3.x and newer
FW-DELTACONFIG(config)#
host object network OBJ_NAT_SERVER
host 192.168.10.200
nat (inside,outside) static interface
Now our configuration has both the static NAT rules and the access list rules that allow the traffic. Consequently, any host out in the Internet trying to connect to the IP address configured on the “outside” interface of our firewall (200.150.100.2) and TCP port 80 (HTTP protocol) will be allowed access and translated into a request to connect to the internal IP address of the web server (192.168.10.200).
All the functions and configs above are typically present in every Cisco ASA firewall setup in every office. I hope this simple article will help you with your tasks. Don’t hesitate to write me if you have any questions.
Important!
Don’t forget to save the changes you made to the configuration with the write or copy run start/ commands. Otherwise you will lose all changes after the next reload.
FW-DELTACONFIG-1#write
Building configuration...
[OK]
This video could help you better understand basic configuration of Cisco ASA.
This article was written by Alexey Yurchenko
How is the switch configured…
Thank you very much
Very informative. Thanks for sharing.