03-28-2014 01:35 AM - edited 03-11-2019 09:00 PM
Hello everyone,
I have a question about ASA firewall, is it true that in ASA firewall, their are 2 ways we can configure it?
Either we use GUI mode to access the ASA firewall or CLI mode?
Is the GUI application basically the ASDM that we download and install it on the firewall?
Thanks
Solved! Go to Solution.
04-10-2014 10:43 AM
Very little is set by default. A default configuration only has the management interface active with an IP address and DHCP server. Once you setup some basic interface addresses and give them names and security levels you will, by default, be allowed to pass traffic from higher security to lower security level interfaces. Some routing is helpful to make anything other than connected networks reachable.
There are hundreds of other things you can do. IDS/IPS, for instance is a separate and optional module on the ASA. Only if you have it installed and licensed can you then create a service-policy in the ASA (using cli or GUI) directing traffic to it.
Configuration of the IDS is technically possible from the cli but 99% of people use the GUI (ASDM or IME - IPS Manager Express) for that.
05-06-2014 11:31 AM
As I mentioned above, "IDS/IPS, for instance is a separate and optional module on the ASA." It must be installed and licensed. There are several types for the ASA. On the older 5500 series as well as the newer 5500-X series, one can use the AIP-SSM, part of Cisco's older technology IPS. Its capabilities are covered in the data sheet.
The newer 5500-X series also have the option of running IPS services on the CX module as part of the Next Generation Firewall (NGFW) features (also included is the option to run Web Security Essentials and Application Visibility and Control). That product is further described here.
The NGFW features are going to give you the greatest protection going forward as that represents the latest platform and developments from Cisco.
For whichever path you choose, the product support page (linked from the product info pages I already noted above) for a given product has installation and configuration guides.
03-28-2014 04:52 AM
Yes, you are right. You can use either the CLI or the GUI which is the ASDM.
For the firewalling-part you can also do some config on the CLI and other config on the GUI, just as you want.
But for VPN, there are some parts in the config that can't be configured with the CLI, these have to be done in the GUI.
04-10-2014 09:36 AM
Hello Karsten Iwen
Thanks for your reply so you mean that their are certain configurations that can only be done on CLI and GUI mode?
My other question is apart from configuring ACL on firewalls, what else can we do on it?
Do we also have to configure IPS /IDS on it or they are by default set?
Thanks
04-10-2014 10:43 AM
Very little is set by default. A default configuration only has the management interface active with an IP address and DHCP server. Once you setup some basic interface addresses and give them names and security levels you will, by default, be allowed to pass traffic from higher security to lower security level interfaces. Some routing is helpful to make anything other than connected networks reachable.
There are hundreds of other things you can do. IDS/IPS, for instance is a separate and optional module on the ASA. Only if you have it installed and licensed can you then create a service-policy in the ASA (using cli or GUI) directing traffic to it.
Configuration of the IDS is technically possible from the cli but 99% of people use the GUI (ASDM or IME - IPS Manager Express) for that.
05-06-2014 03:31 AM
Hello Sir,
Sorry for the delay, thanks for the reply, Sir, do you mean that by default the security settings on the ASA firewall is set the max(Highest) level?
How do we install IPS/IDS on ASA firewall?
Do these IPS/IDS protect the LAN from external threats eg. viruses,trogons and etc?
Regards,
05-06-2014 11:31 AM
As I mentioned above, "IDS/IPS, for instance is a separate and optional module on the ASA." It must be installed and licensed. There are several types for the ASA. On the older 5500 series as well as the newer 5500-X series, one can use the AIP-SSM, part of Cisco's older technology IPS. Its capabilities are covered in the data sheet.
The newer 5500-X series also have the option of running IPS services on the CX module as part of the Next Generation Firewall (NGFW) features (also included is the option to run Web Security Essentials and Application Visibility and Control). That product is further described here.
The NGFW features are going to give you the greatest protection going forward as that represents the latest platform and developments from Cisco.
For whichever path you choose, the product support page (linked from the product info pages I already noted above) for a given product has installation and configuration guides.
03-29-2014 07:36 PM
hi fahad,
karsten is right! you can only do certain things or configuration in ASDM (ASA GUI) versus CLI.
a perfect example is the clientless SSL VPN (webvpn) portal customization.
also to further add his answer, there's an option either to install the launcher permanently on your PC/NMS or run dynamically from ASA (from flash).
05-06-2014 04:10 AM
Also, just to add, the XML files for the anyconnect profiles can only be customised via the ASDM.
--
Please remember to select a correct answer and rate
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide