Please enable JavaScript.
Coggle requires JavaScript to display documents.
Module 21: ASA Firewall Configuration, image, image, image, image, image,…
Module 21: ASA Firewall Configuration
21.1 Basic ASA Firewall Configuration
21.1.1 Basic ASA Settings
The ASA command line interface (CLI) is a proprietary OS, which has a similar look and feel to the router IOS
ASA CLI commands can be executed regardless of the current configuration mode prompt.
21.1.2 ASA Default Configuration
The ASA 5506-X with FirePOWER Services ships with a default configuration that, in most instances, is sufficient for a basic SOHO deployment.
21.1.3 ASA Interactive Setup Initialization Wizard
The ASA provides an interactive setup initialization wizard to simplify the initial configuration of the device. The wizard guides the administrator to configure basic settings using interactive prompts
21.2 Configure Management Settings and Services
21.2.1 Enter Global Configuration Mode
The default ASA user prompt of ciscoasa> is displayed when an ASA configuration is erased, the device is rebooted, and the user does not use the interactive setup wizard.
21.2.2 Configure Basic Settings
An ASA must be configured with basic management settings. The table displays the commands to accomplish this task.
21.2.4 Configure Interfaces
The ASA-5506-X has eight Gigabit Ethernet interfaces that can be configured to carry traffic from different networks
21.2.6 Configure a Default Static Route
If an ASA is configured as a DHCP client, then it can receive and install a default route from the upstream device
21.2.8 Configure Remote Access Services
Telnet or SSH is required to manage the ASA 5506-X remotely, using the CLI. To enable the Telnet service, use the commands listed in the table.
21.2.13 Configure DHCP Services
An ASA can be configured to be a DHCP server to provide IP addresses and DHCP-related information to hosts.
21.3 Object Groups
21.3.1 Introduction to Objects and Object Groups
Objects are reusable components for use in configurations. Objects can be defined and used in Cisco ASA configurations in the place of inline IP addresses, services, names, and so on
21.3.2 Configure Network Objects
To create a network object, use the object network object-name global configuration mode command. The prompt changes to network object configuration mode.
host - a host address
fqdn - a fully-qualified domain name
range - a range of IP addresses
subnet - an entire IP network or subnet
21.3.3 Configure Service Objects
To create a service object, use the object service object-name global configuration mode comman
21.3.4 Object Groups
Objects can be grouped together to create an object group. By grouping like objects together, an object group can be used in an access control entry (ACE) instead of having to enter an ACE for each object separately.
Objects and object groups share the same name space.
Object groups must have unique names.
An object group cannot be removed or emptied if it is used in a command.
The ASA does not support IPv6 nested object groups.
21.3.5 Configure Common Object Groups
To configure a network object group, use the object-group network grp-name global configuration mode command. After entering the command, add network objects to the network group using the network-object and group-object commands.
21.4 ASA ACLs
21.4.1 ASA ACLs
The Cisco ASA 5506-X provides basic traffic filtering capabilities with ACLs. ACLs control access in a network by preventing defined traffic from entering or exiting
21.4.2 Types of ASA ACL Filtering
ACLs on a security appliance can be used not only to filter packets that are passing through the appliance but also to filter packets destined for the appliance.
21.4.3 Types of ASA ACLs
Use the help access-list privileged EXEC command to display the syntax for all of the ACLs supported on an ASA platform.
21.4.4 Syntax for Configuring an ASA ACL
The ACL configuration syntax options for the ASA can be a little overwhelming considering the number of parameters supported, as shown in the partial output of the help access-list command output shown in the example.
21.4.7 ACLs and Object Groups
Consider the sample topology in the figure in which access from two trusted, remote hosts, PC1 and PC2, should be allowed to the two internal for web and email servers.
21.4.8 ACL Using Object Groups Examples
Object grouping is a way to group similar items together to reduce the number of ACEs. By grouping like objects together, object groups can be used in an ACL instead of having to enter an ACE for each object separately
21.5 NAT Services on an ASA
21.5.1 ASA NAT Overview
Like IOS routers, the ASA supports Network Address Translation (NAT). NAT is typically used to translate private IP network addresses into public IP addresses
21.5.2 Configure Dynamic NAT
To configure network object dynamic NAT, two network objects are required
The second network object identifies the internal addresses to be translated and then binds the two objects together. These are identified using the range or subnet network object command
A network object identifying the pool of public IP addresses into which internal addresses are translated. These are identified using range or subnet network object commands.
21.5.4 Configure Dynamic PAT
A variation of this configuration is called Dynamic PAT. This is when an actual external IP address is configured and overloaded instead of the ASA interface IP address
21.5.5 Configure Static NAT
Static NAT is configured when an inside address is mapped to an outside address. For instance, static NAT can be used when a server must be accessible from the outside.
21.6.1 AAA Review
21.6.2 Local Database and Servers
Cisco ASA can be configured to authenticate using a local user database or an external server for authentication or both.
21.6.3 AAA Configuration
To authenticate users who access the ASA CLI over a console (serial), SSH, HTTPS (ASDM), or Telnet connection, or to authenticate users who access privileged EXEC mode using the enable command,
21.7 Service Policies on an ASA
21.7.1 Overview of MPF
A Modular Policy Framework (MPF) configuration defines a set of rules for applying firewall features, such as traffic
21.7.2 Configure Class Maps
Class maps are configured to identify Layer 3 and 4 traffic (also called layer 3/4). To create a class map and enter class-map configuration mode, use the class-map class-map-name global configuration mode command
21.7.3 Define and Activate a Policy
Policy maps are used to bind class maps with actions. Use the policy-map policy-map-name global configuration mode command, to apply actions to the Layer 3 and 4 traffic
21.8.1 What Did I Learn in this Module?
Basic ASA Firewall Configuration
The ASA command line interface (CLI) is a proprietary OS, which has a similar look and feel to the router IOS.
Configure Management Services and Settings
The ASA 5506-X is configured by entering privileged EXEC mode with the enable command and then using configure terminal to enter global configuration mode.
Object Groups
Objects are reusable components for use in configurations. Objects can be defined and used in Cisco ASA configurations in the place of inline IP addresses, services, names, and so on
ASA ACLs
The Cisco ASA 5506-X provides basic traffic filtering capabilities with ACLs.
NAT Services on an ASA
NAT can be configured on ASAs as is done with routers. For ASAs there are three deployment methods.
AAA
Cisco ASAs can be configured to authenticate access using a local user database or an external server for authentication or both. Unlike the ISR, ASA devices do not support local authentication without using AAA.
