ASA initial configuration

  • Post author:
  • Post category:ASA / Cisco

ASA initial configuration

This post describes the initial basic configuration of a Cisco ASA Secure Firewall at a high level, covering the basic CLI configuration settings to get an ASA connected to the internet including, interfaces, static routes, access-lists and dynamic NAT. The post also covers basic management setting configuration such as local authentication, logging, SNMP, SSH, SSL and NTP.

Configuration

Hostname/Domain Name

Specify the hostname to identify the ASA from the CLI.

hostname <ASA hostname>
domain-name <domain name>

Authentication Settings

Configure a local user account(s) and configure the ASA to use the local database for authentication.

username admin password <Secure Password> privilege 15
enable password <Secure Password>
!
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authorization exec LOCAL auto-enable
aaa authentication login-history

ASDM Settings

Specify the ASDM image location, enable ASDM port and specify allowed networks.

asdm image disk:0/asdm-7181-161.bin
http server enable 443
http 192.168.1.0 255.255.255.0 INSIDE

SSH Settings

Specify the allowed networks and configure more secure SSH ciphers, rather than use the weaker defaults.

ssh 192.168.1.0 255.255.255.0 INSIDE
ssh version 2
ssh cipher encryption high
ssh cipher integrity high
ssh key-exchange group dh-group14-sha256

SSL Settings

Configure more secure SSL ciphers rather than use the weaker defaults.

ssl server-version tlsv1.2 dtlsv1.2
ssl client-version tlsv1.2
ssl dh-group group14
ssl ecdh-group group19

Timeouts

Configure timeout values for management sessions to  the ASA.

console timeout 10
ssh timeout 10

Time settings

Configure the local timezone and NTP server(s).

clock timezone GMT <hours offset>
!
ntp server <NTP Server IP address 1> source OUTSIDE
ntp server <NTP Server IP address 2> source OUTSIDE prefer

Logging (optional)

Enable logging to buffer for notifications, disable logging to console/monitor sessions.

logging enable
logging timestamp
logging buffer-size 20000
logging buffered notifications
no logging monitor
no logging console

SNMP Settings (optional)

Configure SNMP for network monitoring.

snmp-server location <Location>
snmp-contact <Contact Name>
snmp-server enable traps all
snmp-server group <Group Name> v3 priv
snmp-server user <SNMP Username> <Group Name> v3 auth sha ***** priv aes 256 *****
snmp-server host INSIDE <NMS IP address> version 3 <SNMP Username>

Interface Configuration

Configure the OUTSIDE and INSIDE interfaces with static IP addresses.

interface gigabitethernet0/0
 nameif INSIDE
 ip address 192.168.0.1 255.255.255.0
 security-level 100
 no shutdown
!
interface gigabitethernet0/1
 nameif OUTSIDE
 ip address 1.1.1.1 255.255.255.0
 security-level 0
 no shutdown

Network objects

Network objects are used to reflect network subnets or host objects, these objects can then be utilised elsewhere in the configuration.

object network LAN-1
 subnet 192.168.1.0 255.255.255.0
!
object network LAN-2
 subnet 192.168.2.0 255.255.255.0
!
object network DNS-SRV
 host 9.9.9.9

An object group can reference multiple network objects, in this instance the internal networks – LAN-1 and LAN-2

object-group network LAN-NETWORKS
 network-object object LAN-1
 network-object object LAN-2

NAT Configuration

For the internal networks using RFC 1918 private IP addresses to communicate with the internet, traffic must be translated using NAT. Auto NAT rules are created to dynamically hide the source network behind the outside interface or a specific public IP address.

object network LAN-1
 nat (INSIDE,OUTSIDE) dynamic interface
!
object network LAN-2
 nat (INSIDE,OUTSIDE) dynamic 1.1.1.2

Static routes

At a minimum the ASA requires a default route via the OUTSIDE interface next hop and if multiple inside networks, then static routes to the next hop switch must exist.

route OUTSIDE 0 0 1.1.1.254
route INSIDE 192.168.1.0 255.255.255.0 192.168.0.254
route INSIDE 192.168.2.0 255.255.255.0 192.168.0.254

Allow ICMP to traverse the ASA

By default, ICMP traffic will not be permitted. ICMP inspection can be enabled by modifying the global_policy policy-map or using the commands fixup protocol icmp.

policy-map global_policy
 class inspection_default
  inspect icmp error
  inspect icmp

OR

fixup protocol icmp
fixup protocol icmp error

Access Control List

The ACL below demonstrates basic internet connectivity, allowing DNS to the defined DNS server, outbound HTTP/HTTPS from the internal networks as defined in the object-group LAN-NETWORKS, ICMP to any destination. Any traffic not matching the Access Control Entries will be denied.

access-list INSIDE_OUT permit udp any object DNS-SRV eq 53
access-list INSIDE_OUT permit tcp object-group LAN-NETWORKS any eq http
access-list INSIDE_OUT permit tcp object-group LAN-NETWORKS any eq https
access-list INSIDE_OUT permit icmp object-group LAN-NETWORKS any
access-list INSIDE_OUT deny ip any any

The command access-group explictly enables the ACL INSIDE_OUT on the INSIDE interface.

access-group INSIDE_OUT in interface INSIDE
Tags: ,