Basic ASA firewall configuration

[Guest Kronzy]

This tutorial shows basic Cisco ASA firewall configuration. To bring the firewall up in operating state, set up a user for a login, define user privilege level (privilege 15 is most privileged cisco level that can be assigned to a user) and turn on local authentication for ssh, telnet, web or console access:

ciscoasa>enable
 ciscoasa#conf t 
 ciscoasa(config)#hostname asa1
 ASA1(config)#domain-name example.com

 ASA1(config)#username John password Razor1293! encrypted privilege 15
 ASA1(config)#aaa authentication ssh console LOCAL
 ASA1(config)#aaa authentication telnet console LOCAL
 ASA1(config)#aaa authentication http console LOCAL
 ASA1(config)#aaa authentication serial console LOCAL
 ASA1(config)#aaa authentication enable console LOCAL

 ASA1(config)#console timeout 0

To enable ssh access You must create crypto key pair, setup address range and

interface from which ssh access is allowed:

 ASA1(config)#crypto key generate rsa modulus 1024 				
 ASA1(config)#ssh 192.168.15.0 255.255.255.0 inside 					 						
 ASA1(config)#ssh timeout 30

Configure firewall interfaces:

 ASA1(config)#interface ethernet0/0
 ASA1(config-if)#switchport access vlan 2					
 ASA1(config-if)#speed 100
 ASA1(config-if)#duplex full

 ASA1(config)#interface Vlan1										
 ASA1(config-if)#nameif inside
 ASA1(config-if)#ip address 192.168.15.1 255.255.255.0
 ASA1(config-if)#security-level 100				
 ASA1(config-if)#no shutdown

 ASA1(config)#interface Vlan2								
 ASA1(config-if)#nameif outside
 ASA1(config-if)#ip address 193.222.168.113 255.255.255.240		
 ASA1(config-if)#security-level 0				
 ASA1(config-if)#no shutdown

Add default route, and set up default gateway. "show route" command shows You routes in

routing table, which can look something like this:

 ASA1(config)#route outside 0.0.0.0 0.0.0.0 193.222.168.111 1 				
 ASA1(config)#show route 
 Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

 Gateway of last resort is 193.222.168.111 to network 0.0.0.0

 C    192.168.15.0 255.255.255.0 is directly connected, inside
 C    195.252.68.0 255.255.255.0 is directly connected, outside
 S*   0.0.0.0 0.0.0.0 [1/0] via 193.222.168.111, outside

 ASA1(config)#

(Default route is the address of default gateway. All packets designated to external networks are sent over default gateway.)

Next, set up Network address translation, more specifically "PAT" (port address translation) which will

translate Your private into public addresses and give Your internal network access to the outside:

 ASA1(config)#nat (inside) 1 192.168.15.0 255.255.255.0 				
 ASA1(config)#global (outside) 1 193.222.168.113 					 						
 ASA1(config)#

(Pat is usefull when You have limited number of Public IP addresses avaliable for assignment to external interfaces. Using PAT, all internal addresses communicating with external world will have Public IP address of an outside interface. This is possible because every Internal Address is mapped to different port on Public address.)