Please enable JavaScript.

Coggle requires JavaScript to display documents.

Module 21: ASA Firewall Configuration - Coggle Diagram

- - - - Abbreviation of commands and keywords
      - Use of the Tab key to complete a partial command
      - Use of the help key (?) after a command to view additional syntax
      - However, the ASA CLI also has different commands.
        
        IOS Router Commands
        
        enable secret password
        
        line vty 0 4
        password password
        login
        
        ip route
        
        show ip interface brief
        
        show ip route
        
        show ip nat translations
        
        copy running-config startup-config
        
        erase startup-config
        
        Equivalent ASA Commands
        
        enable password password
        
        passwd password
        
        route if name
        
        show interface ip brief
        
        show route
        
        show xlate
        
        write [memory]
        
        write erase
        
        ASA help command
    - - The ASA 5506-X with FirePOWER Services ships with a default configuration that, in most instances, is sufficient for a basic SOHO deployment.
        
        The ASA can be restored to its factory default configuration by using the configure factory-default global configuration mode command.
        The default hostname is ciscoasa. By default, the privileged EXEC and console line passwords are not configured. All interfaces are shutdown and unnamed.
        
        These settings can be changed by:
        
        Manually using the CLI
        
        Interactively using the CLI Setup Initialization wizard
        
        Using the ASDM Startup wizard
    - - The ASA provides an interactive setup initialization wizard to simplify the initial configuration of the device. The wizard guides the administrator to configure basic settings using interactive prompts.
        
        The wizard is displayed when there is no startup configuration, or if the startup configuration is erased and the ASA is rebooted using the write erase and reload privileged EXEC commands.
        
        When the device is rebooted, the ASA wizard displays the prompt “Pre-configure Firewall now through interactive prompts [yes]?” To cancel and display the ASA default user EXEC mode prompt, enter no. Otherwise, enter yes or simply press Enter to accept the default [yes]. This initiates the wizard and the ASA interactively guides an administrator to configure the default settings.
- - - - ciscoasa> enable
        Password:
        ciscoasa# clock set 12:00:00 1 April 2020
        ciscoasa# configure terminal
        ciscoasa(config)#
        
        Configure Basic Settings
        
        hostname name
        
        domain-name name
        
        enable password password
        
        banner motd message
        
        key config-key password-encryption [ new-pass [ old-pass ]]
        
        password encryption aes
        
        Configure Interfaces
        
        The backplane of the ASA-5506-X is shown in the figure.
        
        The IP address of an interface can be configured using one of the following options:
        
        Manually - Commonly used to assign an IP address and mask to the interface.
        
        DHCP - Used when an interface is connecting to an upstream device providing DHCP services. The interface can be a DHCP client and discover its IP address and DHCP-related information from the upstream device.
        
        PPPoE - Used when an interface is connecting to an upstream DSL device providing point-to-point connectivity over Ethernet services. The interface can be a PPPoE client and discover its IP address from an upstream PPPoE DSL device.
        
        Configure a Default Static Route
        
        If an ASA is configured as a DHCP client, then it can receive and install a default route from the upstream device. Otherwise, a default static route must be configured using the route interface-name 0.0.0.0 0.0.0.0 next-hop-ip-address command. To verify the route entry, use the show route command.
        
        Configure Remote Access Services
        
        Telnet communications send everything in plaintext, including passwords. SSH traffic is encrypted in a tunnel which helps protect passwords and other sensitive configuration commands from interception. Therefore, for security reasons, remote access should always be enabled using SSH. To enable SSH access, use the commands that are listed in the table. To verify the SSH configuration, use the show ssh command.
        
        Configure Network Time Protocol Services
        
        Network Time Protocol (NTP) services can be enabled on an ASA to obtain the date and time from an NTP server.
        To verify the NTP configuration and status, use the show ntp status and show ntp associations commands.
        
        Configure DHCP Services
        
        To verify DHCP settings, use the following commands:
        
        show dhcpd state - Displays the current DHCP state for inside and outside interfaces.
        
        show dhcpd binding - Displays the current DHCP bindings of inside users.
        
        show dhcpd statistics - Displays the current DHCP statistics.
        
        To clear the DHCP bindings or statistics, use the clear dhcpd binding or clear dhcpd statistics command.
- - - - Network object - A network object can contain a host, a network IP address, a range of IP addresses, or a fully qualified domain name (FQDN). A network object is configured using the object network command.
      - Service object - Contains a protocol and optional source and/or destination port. A service object is configured using the object service command.
- - - - ACLs are made up of one or more ACEs. ACEs are applied to a protocol, a source and destination IP address, a network, or the source and destination ports.
      - ACLs are processed sequentially from top down.
      - A criteria match will cause the ACL to be exited.
      - There is an implicit deny any at the bottom.
      - Remarks can be added per ACE or ACL.
      - Only one access list can be applied per interface, per protocol, per direction.
      - ACLs can be enabled/disabled based on time ranges.
- - - - Inside NAT - The typical NAT deployment method is when a host from a higher-security interface has traffic destined for a lower-security interface and the ASA translates the internal host address into a global address. The ASA then restores the original inside IP address for return traffic.
      - Outside NAT - This method is used when traffic from a lower-security interface that is destined for a host on the higher-security interface must be translated. This method may be useful to make an enterprise host located on the outside of the internal network appear as one from a known internal IP address.
      - Bidirectional NAT - Indicates that both inside NAT and outside NAT are used together.
    - - Dynamic PAT - This is a many-to-one translation. This is also known as NAT with overload. Usually an inside pool of private addresses overloading an outside interface or outside address.
      - Static NAT - This is a one-to-one translation. Usually an outside address mapping to an internal server.
      - Policy NAT - Policy-based NAT is based on a set of rules. These rules can specify that only certain source addresses that are intended for specific destination addresses and/or specific ports will be translated.
      - Identity NAT - A real address is statically translated to itself, essentially bypassing NAT. You might want to configure NAT this way when you want to translate a large group of addresses, but then want to exempt a smaller subset of addresses.
- - - - Step 1. (Optional) Configure extended ACLs to identify granular traffic that can be specifically referenced in the class map. For example, ACLs can be used to match TCP traffic, UDP traffic, HTTP traffic, or all traffic to a specific server.
      - Step 2. Configure the class map to identify traffic.
      - Step 3. Configure a policy map to apply actions to those class maps.
      - Step 4. Configure a service policy to attach the policy map to an interface.