Issuing the show version command on a Cisco Adaptive Security Appliance (ASA), often called a network firewall displays information unique to that type of hardware.
Cisco ASA5. 50. 0 (5. Series Firewall Security Appliance Startup Configuration & Basic Concepts. Introducing the Cisco ASA 5. Series Firewall Appliance.
Cisco ASA 5505 Hardware Installation Guide. Maintenance and Upgrade Procedures. PDF - Complete Book (1.23 MB) PDF - This. Cisco 5505 ASA Configuration; ASA5505#show crypto isakmp sa Active SA: 1 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 1 1. This chapter discusses license mechanisms for the Cisco ASA's advanced security features that add additional layers of protection or accommodate more complex network. Cisco ASA stands for Cisco Adaptive Security Appliance. Cisco ASA acts as both firewall and VPN device. This article explains how to setup and configure high.
The Cisco ASA 5. 50. Today Firewall. cx takes a look at how to easily setup a Cisco ASA5. Internet, securely access and manage the ASA Firewall and more. While many consider the Cisco ASA Firewalls complex and difficult to configure devices, Firewall.
ASA Firewall to deliver basic and advanced functionality. We’ve done it with other Cisco technologies and devices, and we’ll do it again : )The table below provides a brief comparison between the different ASA5.
Feature. Cisco ASA 5. Cisco ASA 5. 51. 0Cisco ASA 5. Cisco ASA 5. 54. 0Cisco ASA 5. Users/Nodes. 10, 5.
Unlimited. Unlimited. Unlimited. Unlimited. Firewall Throughput. Up to 1. 50 Mbps. Up to 3. 00 Mbps. Up to 4. 50 Mbps. Up to 6. 50 Mbps.
Up to 1. 2 Gbps. Maximum Firewall and IPS Throughput. The same steps are required to setup pretty much all ASA 5. Firewalls – which is Great News! The main differences besides the licenses, which enable or disable features, are the physical interfaces of each ASA model (mainly between the ASA 5. In any case, we should keep in mind that if we are able to configure a small ASA5.
At the time of writing of this article Firewall. Cisco ASA5. 50. 5, so we decided to put it to good use for this article, however, do note that all commands and configuration philosophy is the same across all ASA5. Note: ASA software version 8.
NAT configuration commands. This article provides both old style (up to v. NAT configuration commands. Additional reading material: Users seeking nothing but the best security information on ASA Firewalls, written by leading Cisco Security Engineers, should consider the following highly recommended Cisco Press titles: ASA5. Series Configuration Check- List. We’ve created a simple configuration check- list that will help us keep track of the configured services on our ASA Firewall.
Here is the list of items that will be covered in this article: Erase existing configuration. Configure Hostname, Users, Enable password & Disable Anonymous Reporting. Configure interface IP addresses or Vlan IP addresses (ASA5. Descriptions. Setup Inside (private) & Outside (public) Interfaces.
Configure default route (default Gateway) & static routes. Configure Network Address Translation (NAT) for Internal Networks. Configure ASA DHCP Server. Configure AAA authentication for local database user authentication. Enable HTTP Management for inside interface.
Enable SSH & Telnet Management for inside and outside interfaces. Create, configure and apply TCP/UDP Object- Groups to firewall access lists.
Configuration of access- lists for ICMP packets to the Internet. Apply Firewall access lists to . If the firewall has been previously configured or used it is a good idea to start off with the factory defaults.
If we are not certain, we prefer to wipe it clean and start from scratch. Once the configuration is deleted we need to force a reboot, however, take note that it’s important not to save the system config to ensure the running- config is not copied to the startup- config otherwise we’ll have to start this process again: ciscoasa(config)# write erase. Erase configuration in flash memory?
The ASA Firewall won’t ask for a username/password when logging in next, however, the default enable password of . To learn more about this feature,please visit: http: //www. Would you like to enable anonymous error reporting to help improvethe product?
We declined the offer and continued with our setup: ciscoasa(config)# hostname ASA5. ASA5. 50. 5(config)# enable password firewall.
ASA5. 50. 5(config)# username admin password s. The privilege 1. 5 parameter at the end of the command line ensures the system is aware that this is an account with full privileges and has access to all configuration commands including erasing the configuration and files on the device’s flash disk, such as the operating system. Configure Interface IP addresses / VLAN IP Addresses & Descriptions. Depending on the ASA appliance we have, we can configure physical interfaces (inside/outside) with IP addresses, usually done with ASA5. VLANs (inside/outside) and configure them with IP addresses, usually with the smaller ASA5. In many cases network engineers use VLAN interfaces on the larger ASA5. In the case of the ASA5.
VLAN interfaces, which are configured with their appropriate IP addresses and then (next step) characterised as inside (private) or outside (public) interfaces: ASA5. ASA5. 50. 5(config)# description Private- Interface. ASA5. 50. 5(config- if)# ip address 1. ASA5. 50. 5(config- if)# no shutdown! ASA5. 50. 5(config)# interface vlan 2. ASA5. 50. 5(config)# description Public- Interface.
ASA5. 50. 5(config- if)# ip address 1. ASA5. 50. 5(config- if)# no shutdown!
ASA5. 50. 5(config)# interface ethernet 0/0. ASA5. 50. 5(config- if)# switchport access vlan 2.
ASA5. 50. 5(config- if)# no shutdown. Alternatively, the Public interface (VLAN2) can be configured to obtain its IP address automatically via DHCP with the following command: ASA5. ASA5. 50. 5(config)# description Public- Interface. ASA5. 50. 5(config- if)# ip address dhcp setroute. ASA5. 50. 5(config- if)# no shutdown. The setrouteparameter at the end of the command will ensure the ASA Firewall sets its default route (gateway) using the default gateway parameter the DHCP server provides. After configuring VLAN1 & VLAN2 with the appropriate IP addresses, we configured ethernet 0/0 as an access link for VLAN2 so we can use it as a physical public interface.
Ethernet ports 0/1 to 0/7 must also be configured with the no shutdown command in order make them operational. All of these ports are, by default, access links for VLAN1.
Provided are the configuration commands for the first two ethernet interface as the configuration is identical for all: ASA5. ASA5. 50. 5(config- if)# no shutdown. ASA5. 50. 5(config- if)# interface ethernet 0/2. ASA5. 50. 5(config- if)# no shutdown.
Setup Inside (private) & Outside (public) Interfaces. Next, we must designate the Inside (private) and Outside (public) interfaces. This step is essential and will help the ASA Firewall understand which interface is connected to the trusted (private) and untrusted (public) network: ASA5. ASA5. 50. 5(config- if)# nameif inside. INFO: Security level for .
To change the security- level of an interface use the security- level xxx command by substituting xxx with a number from 0 to 1. The higher the number, the higher the security level. In case the public interface (VLAN2) is configured using the ip address dhcp setroute command, configuration of the default gateway is not required. ASA5. 50. 5(config)# route outside 0. At this point, it’s a good idea to try testing the next- hop router and confirm the ASA Firewall can reach it: ASA5. Type escape sequence to abort.
Sending 5, 1. 00- byte ICMP Echos to 1. Success rate is 1. For networks with multiple internal VLANs, it is necessary to configure static routes to ensure the ASA Firewall knows how to reach them. Usually these networks can be reached via a Layer.
These additional networks are contactable via a Layer. IP address 1. 0. 7. ASA5. 50. 5(config)# route outside 1. ASA5. 50. 5(config)# route outside 1.
Configure Network Address Translation (NAT) for Internal Networks. This is the last step required to successfully provide Internet access to our internal networks.
Network Address Translation is essential to masquerade our internal network using the single IP address our Public interface has been configured with. We will provide both commands to cover installations with software version up to v. The following commands apply to ASA appliances with software version up to 8. ASA5. 50. 5(config)# global (outside) 1 interface. INFO: outside interface address added to PAT pool. ASA5. 50. 5(config)# nat (inside) 1 1. ASA5. 50. 5(config)# nat (inside) 1 1.
ASA5. 50. 5(config)# nat (inside) 1 1. In the above configuration, the ASA Firewall is instructed to NAT all internal networks using the NAT Group 1. In this case, we define the internal IP addresses to be NAT’ed with the use of access lists: ASA5. NAT- ACLs extended permit ip 1. ASA5. 50. 5(config)# access- list NAT- ACLs extended permit ip 1. ASA5. 50. 5(config)# access- list NAT- ACLs extended permit ip 1. ASA5. 50. 5(config)# global (outside) 1 interface.
INFO: outside interface address added to PAT pool. ASA5. 50. 5(config)# nat (inside) 1 access- list NAT- ACLs. NAT with the use of access lists provides greater flexibility and control which IP addresses or networks will use the NAT service. With software version 8. NAT configuration lines. The new NAT format now utilizes .
The ASA Firewall can be configured to provide DHCP services to our internal network, a very handy and welcome feature. Again, there are some limitations with the DHCP service configuration which vary with the ASA model used. In our ASA5. 50. 5, the maximum assigned IP addreses for the DHCP pool was just 1. Note that the DHCP service can run on all ASA interfaces so it is necessary to specify which interface the DHCP configuration parameters are for: ASA5. Warning, DHCP pool range is limited to 1. ASA5. 50. 5(config)# dhcpd address 1. ASA5. 50. 5(config)# dhcpd dns 8.
Once configured, the DHCP service will begin working and assigning IP addresses to the clients. The Gateway IP address parameter is automatically provided to client and is not required to be configured on the ASA Firewall appliance. We can verify the DHCP service is working using the show dhcpd statistics command: ASA5.
DHCP UDP Unreachable Errors: 0. DHCP Other UDP Errors: 0. Address pools 1. Automatic bindings 1. Expired bindings 0 Message Received BOOTREQUEST 0 DHCPDISCOVER 1 DHCPREQUEST 1 DHCPDECLINE 0 DHCPRELEASE 0 DHCPINFORM 1. If required, we can clear the DHCP bindings (assigned IP addresses) using the clear dhcpd binding command.
Cisco ASA Licensing > Licensed Features on ASAThis chapter covers the following topics: Licensed features on ASAManaging licenses with activation keys. Combined licenses in failover and clustering. Shared Premium Any. Connect VPN licensing. ASA offers a very comprehensive feature set that helps secure networks of all shapes and sizes.
To deliver the desired functionality within the available budget while allowing for future scalability, you can unlock advanced security capabilities and increase certain system capacities on demand through a flexible system of feature licenses. Some characteristics of the hardware platform or expansion modules can enable certain feature licenses implicitly. You can also activate additional licenses permanently or for a certain duration of time. When multiple Cisco ASA devices participate in failover or clustering, some licensed capacities automatically aggregate up to the platform hardware limit to maximize your investment. Although this flexible system may seem complicated at first, it actually makes the task of customizing a Cisco ASA for your specific business needs quite easy.
Every Cisco ASA platform comes with a certain number of implicitly activated features and capacities as a part of the Base License. In other words, these capabilities are fixed in the given software image for the particular hardware; you cannot selectively disable them. One example of such a feature is Active/Active failover, which is always available on all Cisco ASA 5. X appliances. Some platforms offer the optional Security Plus license, which may unlock additional features or capacities on top of the Base License. For example, you can increase the maximum concurrent firewall connection count on the Cisco ASA 5.
Security Plus license. In addition to the Base and Security Plus licenses, you can activate other advanced security features individually: Some capabilities operate in a simple binary switch fashion whereby the license for the feature type is either enabled or disabled; once enabled, there are typically no direct restrictions on how much the feature can be used. For instance, the Botnet Traffic Filter license will allow you to protect all connections through a Cisco ASA up to the maximum limit for the platform. Other features may carry their own capacity limits that come in quantified tiers.
An example of such a feature is the ability to configure security contexts on some Cisco ASA appliances. On the Cisco ASA 5. Base License allows creating up to two application contexts, while several premium licenses of different tiered counts allow extending this limit up to 2.
Not all of the licensed features and capabilities are available on all hardware platforms. For instance, at the time of writing, the clustering feature is currently available only on Cisco ASA 5.
X, ASA 5. 58. 0, and ASA 5. X appliances. Depending on specific markets and international export regulations, some Cisco ASA models may also ship with the permanent No Payload Encryption license; this license ties to the particular hardware without the option of change or removal. The following licensed features and capacities are not available on any No Payload Encryption hardware models: Any. Connect Premium Peers. Any. Connect Essentials.
Other VPN Peers. Total VPN Peers. Shared License. Any. Connect for Mobile. Any. Connect for Cisco VPN Phone. Advanced Endpoint Assessment. UC Phone Proxy Sessions.
Total UC Proxy Sessions. Intercompany Media Engine. As you identify the correct feature set to take the most advantage of Cisco ASA capabilities while fully protecting your network, it helps to organize the licensed features into the following logical categories: Basic platform capabilities: Typically are relevant to all Cisco ASA deployments. Advanced security features: Can satisfy specific network design goals for a particular Cisco ASA installation. Tiered capacity features: Depend on the size of a projected user base and allow for future growth.
These categories are discussed in turn next. Basic Platform Capabilities. Basic licensed features define the foundation of the Cisco ASA capabilities that are common to all installations and designs, such as the following: Dictating the elementary characteristics of how an ASA device connects to the network. Establishing the quantity and speed capabilities of physical and logical interfaces.
Limiting the number of protected connections and inside hosts. Defining high- availability options. Setting the baseline encryption algorithms that the system can use. The following licensed features fall under the category of basic platform capabilities: Firewall Connections: Cisco ASA Software limits the maximum concurrent count of all stateful connections depending on the hardware platform. This limit can only be increased with the Security Plus license on Cisco ASA 5. ASA 5. 51. 0, and ASA 5. X appliances. The system will deny only new attempted connections above the licensed limit; there are no adverse effects for existing connections in this case.
Maximum Physical Interfaces: All Cisco ASA platforms always allow you to use all of the available physical interfaces, so this feature either shows the actual number of physical interfaces on the Cisco ASA 5. Unlimited on all other platforms. There are additional platform- specific limitations on the total number of interfaces that can be configured in the system; the total limit covers physical and redundant interfaces, VLAN subinterfaces, Ether. Channels, and bridge groups.
Maximum VLANs: Each platform has its own limit on the maximum number of configurable VLANs. This limit can be expanded on Cisco ASA 5. ASA 5. 51. 0, and ASA 5. X models by applying a Security Plus license.
Keep in mind that you can create a larger number of subinterfaces on some ASA appliances, but this particular limit only kicks in when you actually assign the given number of subinterfaces to VLANs with the vlan interface command. VLAN Trunk Ports: This feature is applicable only to Cisco ASA 5. Ethernet switch. With the Base License, you can configure the physical switch ports only in access mode; with the Security Plus license, you gain the ability to carry multiple VLANs on any of the Cisco ASA 5.
Dual ISPs: This feature only applies to the Cisco ASA 5. Security Plus license enables it automatically.
With the Base License, this platform only allows up to three configured logical interfaces, where the third interface can initiate traffic only to one of the other two; with this limitation, you cannot create a backup interface to provide external connectivity when the primary outside interface fails. When you apply the Security Plus license, the number of available logical interfaces increases to 2. ISPs. 1. 0GE I/O: This feature is only applicable to Cisco ASA 5. X models. An SSP- 1. Base License only allow you to configure the onboard fiber interfaces at 1- Gigabit Ethernet (GE) speed; the Security Plus license enables configuring these interfaces at 1.
GE speed. This capability is always enabled on SSP- 4. GE interface modules. Although not directly related to this license, it should be noted that a Cisco ASA 5. Security Plus license to configure Ethernet. Ethernet. 0/1 interfaces at 1- GE speed. All other models not mentioned here allow you to configure any onboard or external physical Ethernet interfaces up to the maximum supported speed.
Inside Hosts: This value defines the maximum number of unique IP addresses behind the trusted interfaces that can establish concurrent connections with endpoints behind the outside interface. When operating in routed mode, the default route determines where the outside interface is; all unique endpoints behind all configured interfaces count toward the limit if the default route is not present.
In transparent mode, only the interface with the fewest number of active endpoints counts toward the limit. This feature is set to Unlimited on all platforms except the Cisco ASA 5. Unlimited. Failover: The option of configuring a pair of Cisco ASA devices for high availability is available on all platforms, but it requires the Security Plus license on Cisco ASA 5. ASA 5. 51. 0, and ASA 5. X models. Because the Cisco ASA 5.
Security Contexts feature, only Active/Standby failover is available on this platform. All other ASA models support both Active/Standby and Active/Active failover configurations. Encryption- DES: This license enables the DES algorithm for VPN, Unified Communications Proxy, and management session encryption by default on all Cisco ASA platforms. A weak encryption algorithm such as DES is frequently not acceptable to many remote endpoints that need to establish a secure session with the Cisco ASA; this license is typically not sufficient outside of basic management tasks. Encryption- 3. DES- AES: This license adds 3. DES and AES algorithms in order to provide strong encryption capabilities for VPN, Unified Communications Proxy, and management sessions. Some features, such as VPN Load Balancing, also require this license for proper operation.
Export regulations control access to this license, so it may not necessarily come pre- installed on a brand- new Cisco ASA by default. Because the availability of strong encryption ciphers in the Cisco ASA configuration requires this license, obtain and enable it right away if you plan on using any of the relevant cryptographic features. Other VPN Peers: This value defines the maximum number of concurrent IPsec site- to- site tunnels and IKEv.
Cisco ASA platform. This capacity can extend from 1.
Security Plus license on the Cisco ASA 5. Total VPN Peers: This quantity defines the maximum number of any concurrent VPN sessions that can terminate on a given Cisco ASA platform. This licensed capacity is equal to the count of Other VPN Peers on all models with the exception of the Cisco ASA 5. Security Plus and Any. Connect Essentials licenses. Advanced Security Features.