Share this
Back to the Basics: Cisco ASA Firewall Configuration Guide
by Darin Knobbe on May 26, 2020 1:45:00 PM
It's always good to get a refresher once in a while! Especially when Cisco has developed their line-up of next-generation firewalls.
Cisco's most recent improvements to their next-generation firewall family are the ASA 5506-X, 5508-X, 5516-X, and 5585-X with FirePOWER modules. The new "X" product offering consolidates businesses while driving Next-Generation Intrusion Prevention System (NGIPS) innovations. Additionally, this brings Application Visibility and Control (AVC), Advanced Malware Protection (AMP), and URL Filtering to your network.
Today, in the Cisco ASA 5506-X model, we will cover the ASA firewall configuration step-by-step, for your typical business organization.
The following illustration is the system topology that the Cisco ASA 5506-X model depends on. We will cover how to design a fundamental ACL (Access Control List), Network Address Translation (NAT), and a basic demilitarized (DMZ) arrangement facilitating a WWW server. The gear utilized in this configuration is the Cisco ASA 5506-X with FirePOWER module, running code 9.5(2).
Putting it To Practice: ASA 5506-X Configuration
Network Requirements
In a run-of-the-mill business condition, the system involves three sections, namely, – Internet, client LAN or alternatively, a DMZ Network. The DMZ Network is utilized to have publicly open servers, for example, a web server, an Email server, etc. The Cisco ASA goes about as a Firewall, just as an Internet passage.
Here are a few additional points to note:
- LAN users and Web Servers all have Internet access.
- LAN users have full access to the Web Server network segment DMZ 1 but DMZ 1 does not have any access to the LAN.
- Anyone on the Internet can access the Web Server via a public NAT IP address over HTTP(S).
- All other traffic is denied unless explicitly allowed.
Updating ASA Software and ASDM Code
Set the system to boot to the new image and configure the ASDM image to be used.
Write to memory and verify the bootvar is set correctly. Reboot the system to load the new image.
Security Levels on Cisco ASA Firewall
Prior to the setup, addressing how Cisco ASAs work in a staggered security structure is key as the model is designed to help you handle network traffic in a way that complies with your organization's security policy. Fully understanding the security structure helps you see the end goal and gain each benefit with the ASA Firewall.
As a matter of course, traffic going from a lower to higher security level is denied. This can be superseded by an ACL applied to that lower security interface. Likewise, the ASA will permit traffic from a higher security level moving down security interfaces. This conduct can be abrogated with an ACL. The security levels are characterized by numbers in the range of 0 and 100. The untrusted systems, the Internet for example, is characterized with a 0. The most secure systems are characterized with a 100. In our model we placed security levels as follow: LAN = 100, DMZ1 = 50 and outside = 0.
LAN is considered the most secured network. It not only hosts internal user workstations, but also mission-critical production servers. LAN users can reach other networks. However, no inbound access is allowed from any other networks unless explicitly allowed.
As a quick example, the DMZ1 hosts public-facing web servers. Anyone on the Internet can reach the servers on TCP port 80 for HTTP. The design idea here is that we don’t allow any possibilities of compromising the LAN. All “inbound” access to the LAN is denied unless the connection is initiated from the inside hosts. Servers in DMZ1 serve Internet web traffic and internal user traffic from the LAN.
PivIT Global Network Design and IP Assignment
The last piece, before we dive into the configuration, is the specific design we've used on a PivIT Global Network with the IP Assignment. For simplicity, we assume the SOHO network has less than 200 users and does not have a layer switch on the LAN. All user and server traffic point to the ASA as their default gateway to the Internet. We assign each network segment a /24 (255.255.255.0) subnet mask.
Cisco ASA 5506-X Configuration
The 7-step process guides you through the configuration with a PivIT Network as an example. As you've seen from above, there is explanatory text, diagrams, and procedures in each step to help you navigate the user interface, maximize the performance, and troubleshoot complications. Reach out to PivIT with any questions or more information on the Cisco ASA 5506-X configuration!
About PivIT Global
Leave a comment, question, or concern below. We created the Tech Corner to connect with you on configuration guides product discussions, product comparisons, and provide you with information about the industry. Subscribe to the Tech Corner today!
Share this
- Configuration Guides (47)
- Cisco Routers (29)
- Switches (27)
- Network Security (23)
- Cisco Switches (21)
- Routing Protocols (21)
- Routers (20)
- Cisco (19)
- Product Comparisons (19)
- Firewall (18)
- Cisco Security (17)
- Cisco Technical Information (17)
- IT Hardware Solutions (17)
- Network Protocols (17)
- Wireless (17)
- Security (15)
- OneCall (13)
- Servers (12)
- cisco asa (12)
- Cisco Wireless (11)
- Router Protocols (11)
- Cisco Catalyst (9)
- Cisco UCS (9)
- Upgrading Network (9)
- Cisco Servers (8)
- Product Highlight (8)
- Access Control Lists (7)
- Fortinet (7)
- Server Comparisons (7)
- Access Points (6)
- Arista Networks (6)
- OSPF (6)
- Wireless APs (6)
- Cisco ASR (5)
- Cloud Solutions (5)
- HPE-Aruba Wireless (5)
- Juniper Mist (5)
- Network Management (5)
- SD-WAN (5)
- Storage (5)
- Switch Comparison (5)
- Back To Basics (4)
- Cybersecurity (4)
- EIGRP (4)
- Firewall Architecture (4)
- HSRP (4)
- Juniper Networks (4)
- Network Automation (4)
- Network Servers (4)
- OEM Comparison (4)
- Aruba Central (3)
- Cisco Telephony (3)
- DHCP (3)
- DHCP Snooping (3)
- Dell EMC PowerEdge (3)
- Internet (3)
- Maintenance (3)
- Maintenance Renewal (3)
- Network Accessories (3)
- TPM (3)
- Telephony (3)
- aruba (3)
- Cisco NX-OS (2)
- Cisco Nexus (2)
- Dell Servers (2)
- Fortinet NGFWs (2)
- IT Trends (2)
- LAN Networks (2)
- Network Time Protocol (2)
- Palo Alto NGFWs (2)
- Rapid PVST+ (2)
- Remote Configuration (2)
- Software Defined Networking (2)
- WLAN (2)
- Ways to Save (2)
- fortigate (2)
- Asset Management (1)
- CPU Usage (1)
- Cisco AIR-CT (1)
- Cisco Aironet (1)
- Cisco DNA (1)
- Cisco ISR (1)
- Cisco Supervisor Engines (1)
- Cisco UCS Manager (1)
- Cognitive Campus (1)
- Cost of Downtime (1)
- Dell EMC Data Domain (1)
- Edge Switches (1)
- Fabric Extenders (1)
- GRE Tunnel (1)
- HPE BL (1)
- Juniper SRX (1)
- Nexus Switches (1)
- Nutanix (1)
- Optics (1)
- PowerEdge R740xd (1)
- STP Extension (1)
- Sparing Integrity Program (1)
- Switched Virtual Interface (1)
- TCP (1)
- UCS Fabric Interconnects (1)
- hyperconverge (1)
- April 2024 (2)
- March 2024 (1)
- February 2024 (2)
- January 2024 (1)
- December 2023 (1)
- November 2023 (2)
- October 2023 (1)
- September 2023 (3)
- August 2023 (5)
- July 2023 (2)
- June 2023 (4)
- May 2023 (5)
- April 2023 (8)
- March 2023 (7)
- February 2023 (5)
- January 2023 (2)
- December 2022 (3)
- November 2022 (3)
- October 2022 (8)
- September 2022 (9)
- August 2022 (9)
- July 2022 (8)
- June 2022 (9)
- May 2022 (5)
- April 2022 (3)
- March 2022 (1)
- February 2022 (2)
- November 2021 (2)
- October 2021 (1)
- September 2021 (2)
- August 2021 (2)
- July 2021 (3)
- June 2021 (2)
- May 2021 (4)
- April 2021 (4)
- March 2021 (2)
- February 2021 (1)
- January 2021 (2)
- December 2020 (2)
- November 2020 (2)
- October 2020 (2)
- September 2020 (2)
- August 2020 (4)
- July 2020 (5)
- June 2020 (4)
- May 2020 (6)
- April 2020 (2)
- March 2020 (1)
- February 2020 (2)
- January 2020 (2)
- December 2019 (1)
- May 2019 (2)
- April 2019 (5)
- February 2019 (1)
- January 2019 (3)
- December 2018 (1)
No Comments Yet
Let us know what you think