topic Required help on ASA basic setup and configuration in Network Security

Required help on ASA basic setup and configuration

Goutam Biswas — Tue, 12 Mar 2019 03:41:50 GMT

Hi,

I am very very new to Security/Firewall domain, As I have gone through lot of documents and understood there must be one outside interface and atleast one or multiple inside interfaces depends on the requirement. I have attached a high level design, it shows how ASAs tobe connected to Aggre/Dist. Switches and how DMZ are conneccted to ASA via L2 Switches. Could any one help me on this how to configure and what are basic configuration required to eastablish the network and it works. I need two inside networks one is for dmz servers and another one is other servers to be advertise to outside DC.

Required help on ASA basic setup and configuration

Mizanul Islam — Fri, 07 Feb 2014 18:50:58 GMT

Hi Goutam,

Few days ago i have configured same topology. But first required requirments then i help you. You mail me direct (parosh.islam@yahoo.com)

Here is the below link for configuration help.

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/asa_84_cli_config.html

Regards

Parosh

+8801755591722

Re: Required help on ASA basic setup and configuration

Marius Gunnerud — Fri, 07 Feb 2014 19:44:10 GMT

Which ASA model are you running and version?

A very basic configuration you could setup, just remember to change the interface numbers and IP addresses to the required values:

int gig0/1

security-level 100

nameif inside

ip add 192.168.1.1 255.255.255.0

no shut

int gig0/2

security-level 0

nameif outside

ip add 8.8.8.9 255.255.255.252

no shut

route outside 0 0 8.8.8.10

object network LAN-to-outside-NAT

subnet 192.168.1.0 255.255.255.0

nat (inside,outside) dynamic interface

http server enable

http 192.168.1.0 255.255.255.0 inside

crypto key generate rsa modulus 2048

ssh 192.168.1.0 255.255.255.0 inside

username USERNAME password PASSWORD

enable password PASSWORD

As I mentioned this is a very basic config that allows only traffic from the inside to the outside and nothing more. But you will have internet access at lease. Also keep in mind that you should change the subnets for http and ssh to a dedicated management subnet.

Please refer to this guide for configuration guide.

http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/general/interface_start.html

If you need more assistance please let us know.

--
Please remember to rate and select a correct answer

Required help on ASA basic setup and configuration

Goutam Biswas — Mon, 10 Feb 2014 06:09:45 GMT

Hi Parosh,

Thanks for your reply, If you have configured same topology, could you please give me configuration sample for the same setup.

Required help on ASA basic setup and configuration

Goutam Biswas — Mon, 10 Feb 2014 06:12:18 GMT

Hi,

Thanks.

What I understood from your configaration. ASA is located inline. Is it right my understanding? If so could you pls. give me sample config for ASAs are connected to Nk501 & 02 with high availability.

ASA model is 5584-X but not aware about software versin, it would be latest version.

Re: Required help on ASA basic setup and configuration

Marius Gunnerud — Mon, 10 Feb 2014 08:32:52 GMT

When you say NK501 that it is a typo and that it should be N5K01 (for nexus 5000 switch 1?)

So if these are nexus switches, and I assume you are looking for active/standby configuration on the ASA for HA. Your configuration would be something like the following if you want full redundancy.

---------------------------

N5K01

feature vpc

vpc domain 1

role priority 1000

system-priority 1

peer-keepalive destination 169.254.111.1 source 169.254.111.2 vrf default

auto-recovery

interface Ethernet1/19

description ASA01

switchport mode trunk

channel-group 2 mode active

interface Ethernet1/21

description ASA01

switchport mode trunk

channel-group 2 mode active

interface Ethernet1/22

description vpc-keepalive

no switchport

ip address 169.254.111.1/16

no shutdown

interface Ethernet1/23

description vpc-peerlink

channel-group 1

no shutdown

interface Ethernet1/24

description vpc-peerlink

channel-group 1

no shutdown

interface port-channel1

description vpc-peerlink

vpc peer-link

interface port-channel2

description ASA

switchport mode trunk

vpc 1

------------------------------------------

N5K02

feature vpc

vpc domain 1

role priority 65535

system-priority 1

peer-keepalive destination 169.254.111.2 source 169.254.111.1 vrf default

auto-recovery

interface Ethernet1/19

description ASA02

switchport mode trunk

channel-group 2 mode active

interface Ethernet1/21

description ASA02

switchport mode trunk

channel-group 2 mode active

interface Ethernet1/22

description vpc-keepalive

no switchport

ip address 169.254.111.2/16

no shutdown

interface Ethernet1/23

description vpc-peerlink

channel-group 1

no shutdown

interface Ethernet1/24

description vpc-peerlink

channel-group 1

no shutdown

interface port-channel1

description vpc-peerlink

vpc peer-link

interface port-channel2

description ASA

switchport mode trunk

vpc 1

----------------------------------------------

ASA01

interface TenGigabitEthernet0/6

description N5K01

channel-group 2 mode active

interface TenGigabitEthernet0/7

description N5K01

channel-group 2 mode active

interface TenGigabitEthernet0/8

description Failover

channel-group 3

interface TenGigabitEthernet0/9

description Failover

channel-group 3

interface Port-channel2

description N5K01

nameif NAME

security-level 60

ip address 10.10.10.1 255.255.255.240 standby 10.10.10.2

interface Port-channel3

description Failover link

interface Port-channel3.10

description State link

vlan 10

interface Port-channel3.20

description STATE Failover Interface

vlan 20

failover

failover lan unit primary

failover lan interface Failover_Link Port-channel3.10

failover key PASSWORD

failover replication http

failover link Stateful_Failover_Link Port-channel3.20

failover interface ip Failover_Link 10.8.4.145 255.255.255.240 standby 10.8.4.146

failover interface ip Stateful_Failover_Link 10.8.4.161 255.255.255.240 standby 10.8.4.162

----------------------------

ASA02

interface TenGigabitEthernet0/6

description N5K01

channel-group 2 mode active

interface TenGigabitEthernet0/7

description N5K01

channel-group 2 mode active

interface TenGigabitEthernet0/8

description Failover

channel-group 3

interface TenGigabitEthernet0/9

description Failover

channel-group 3

interface Port-channel2

description N5K01

nameif NAME

security-level 60

ip address 10.10.10.1 255.255.255.240 standby 10.10.10.2

interface Port-channel3

description STATE Failover Interface

interface Port-channel3.10

description Failover link

vlan 10

interface Port-channel3.20

description State link

vlan 20

failover

failover lan unit primary

failover lan interface Failover_Link Port-channel3.10

failover key PASSWORD

failover replication http

failover link Stateful_Failover_Link Port-channel3.20

failover interface ip Failover_Link 10.8.4.145 255.255.255.240 standby 10.8.4.146

failover interface ip Stateful_Failover_Link 10.8.4.161 255.255.255.240 standby 10.8.4.162

--
Please remember to rate and select a correct answer

Re: Required help on ASA basic setup and configuration

Marius Gunnerud — Mon, 10 Feb 2014 08:34:59 GMT

Just noticed that I forgot to include the DMZ interfaces on the ASAs. But I am sure that you can figure that out by looking at the other interface configuration that I provided.

--
Please remember to rate and select a correct answer

Required help on ASA basic setup and configuration

Goutam Biswas — Mon, 10 Feb 2014 09:29:41 GMT

Hi,

Thanks,

can you tell me which interface would work for outside. As per my understanding according to your config sample. port-channel2 is configured between ASA and nk5-1 and 2 will be used for outside and the same port channel 2 is used for inside also with security level 60. is that mean I need to sub interface that port channel like.

port-channel2.30 is mapped with vlan 30 used for outside security level 0

port-channel2.40 is mapped with vlan 40 used for inside security level 60

port-channel2.50 is mapped with vlan 50 used for inside security level 90

and as per your configure ASA-01 is connecting to n5k-01 and ASA-02 is connecting to n5k-02 no crosss connect between ASA and nk5 (will it be good for redundancy purpose or this is design restriction)

Required help on ASA basic setup and configuration

Marius Gunnerud — Mon, 10 Feb 2014 11:09:55 GMT

If you have several VLANs that need to go through the firewall then yes you need to configure the portchannel 2 as subinterface

I did not include any configuration for the inside network as I thought it would be quite self explanitory by following the example for the interfaces going towards NK501 - 2.

ASA-01 is only connected to n5k-01 and ASA-02 is only connected to n5k-02 as per your network diagram. Yes you could cable them redundant between the n5k switches if you wanted to do that. I was just following your diagram.

--
Please remember to rate and select a correct answer

Required help on ASA basic setup and configuration

Goutam Biswas — Mon, 10 Feb 2014 11:14:45 GMT

Thanks, I will check and let you know if everything works fine. Thanks again for your help. Another help if possible.

Do you have any documents on ASA, where it shows diagram based configuration according to Data Center Design, it would help me to understand better and corelate with my setup.

I mean different design diagram and configuration deployment solution in today's Data Center.

Required help on ASA basic setup and configuration

Marius Gunnerud — Mon, 10 Feb 2014 11:26:49 GMT

Is this what you are looking for?

http://www.cisco.com/en/US/docs/solutions/Enterprise/Data_Center/DC_3_0/dc_sec_design.html

--
Please remember to rate and select a correct answer

Required help on ASA basic setup and configuration

Goutam Biswas — Tue, 11 Feb 2014 09:51:21 GMT

Hi,

I am looking for basic design and configuration, this is very high level of design and configuration, which is little bit difficult to understand to me as freshers in Security.

Required help on ASA basic setup and configuration

Marius Gunnerud — Tue, 11 Feb 2014 10:45:44 GMT

Normally design documents do not have any configuration in them. But had a look around and found this...hope it is what you are looking for.

http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns824/sbaDC_cGuide.pdf

--
Please remember to rate and select a correct answer

Required help on ASA basic setup and configuration

Goutam Biswas — Tue, 11 Feb 2014 10:47:16 GMT

I have this one thanks

Required help on ASA basic setup and configuration

Marius Gunnerud — Tue, 11 Feb 2014 10:49:39 GMT

Then the only other thing that might be what you want is a configuration guide. and not a design guide.

http://www.cisco.com/en/US/docs/switches/datacenter/nexus5000/sw/configuration/guide/cli/Nexus5000-NX-OS-ConfigurationGuide.pdf

Let me know if this is closer

--
Please remember to rate and select a correct answer