cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
514
Views
0
Helpful
7
Replies

about ASA firewall

Fahad Wasi
Level 1
Level 1

 

 Hello everyone,

 I have a question about ASA firewall, is it true that in ASA firewall, their are 2 ways we can configure it?

 Either we use GUI mode to access the ASA firewall or CLI mode?

 Is the GUI application basically the ASDM that we download and install it on the firewall?

Thanks

 

 

2 Accepted Solutions

Accepted Solutions

Very little is set by default. A default configuration only has the management interface active with an IP address and DHCP server. Once you setup some basic interface addresses and give them names and security levels you will, by default, be allowed to pass traffic from higher security to lower security level interfaces. Some routing is helpful to make anything other than connected networks reachable.

There are hundreds of other things you can do. IDS/IPS, for instance is a separate and optional module on the ASA. Only if you have it installed and licensed can you then create a service-policy in the ASA (using cli or GUI) directing traffic to it.

Configuration of the IDS is technically possible from the cli but 99% of people use the GUI (ASDM or IME - IPS Manager Express) for that.

View solution in original post

As I mentioned above, "IDS/IPS, for instance is a separate and optional module on the ASA." It must be installed and licensed. There are several types for the ASA. On the older 5500 series as well as the newer 5500-X series, one can use the AIP-SSM, part of Cisco's older technology IPS. Its capabilities are covered in the data sheet.

The newer 5500-X series also have the option of running IPS services on the CX module as part of the Next Generation Firewall (NGFW) features (also included is the option to run Web Security Essentials and Application Visibility and Control). That product is further described here.

The NGFW features are going to give you the greatest protection going forward as that represents the latest platform and developments from Cisco.

For whichever path you choose, the product support page (linked from the product info pages I already noted above) for a given product has installation and configuration guides.

View solution in original post

7 Replies 7

Yes, you are right. You can use either the CLI or the GUI which is the ASDM.

For the firewalling-part you can also do some config on the CLI and other config on the GUI, just as you want.

But for VPN, there are some parts in the config that can't be configured with the CLI, these have to be done in the GUI.

 

 Hello Karsten Iwen

Thanks for your reply so you mean that their are certain configurations that can only be done on CLI and GUI mode?

My other question is apart from configuring ACL on firewalls, what else can we do on it?
Do we also have to configure IPS /IDS on it or they are by default set?

Thanks

 

Very little is set by default. A default configuration only has the management interface active with an IP address and DHCP server. Once you setup some basic interface addresses and give them names and security levels you will, by default, be allowed to pass traffic from higher security to lower security level interfaces. Some routing is helpful to make anything other than connected networks reachable.

There are hundreds of other things you can do. IDS/IPS, for instance is a separate and optional module on the ASA. Only if you have it installed and licensed can you then create a service-policy in the ASA (using cli or GUI) directing traffic to it.

Configuration of the IDS is technically possible from the cli but 99% of people use the GUI (ASDM or IME - IPS Manager Express) for that.

 

 Hello Sir,

Sorry for the delay, thanks for the reply, Sir, do you mean that by default the security settings on the ASA firewall is set the max(Highest) level?

How do we install IPS/IDS on ASA firewall?

 

Do these IPS/IDS protect the LAN from external threats eg. viruses,trogons and etc?

 

Regards,

 

As I mentioned above, "IDS/IPS, for instance is a separate and optional module on the ASA." It must be installed and licensed. There are several types for the ASA. On the older 5500 series as well as the newer 5500-X series, one can use the AIP-SSM, part of Cisco's older technology IPS. Its capabilities are covered in the data sheet.

The newer 5500-X series also have the option of running IPS services on the CX module as part of the Next Generation Firewall (NGFW) features (also included is the option to run Web Security Essentials and Application Visibility and Control). That product is further described here.

The NGFW features are going to give you the greatest protection going forward as that represents the latest platform and developments from Cisco.

For whichever path you choose, the product support page (linked from the product info pages I already noted above) for a given product has installation and configuration guides.

johnlloyd_13
Level 9
Level 9

hi fahad,

karsten is right! you can only do certain things or configuration in ASDM (ASA GUI) versus CLI.

a perfect example is the clientless SSL VPN (webvpn) portal customization.

also to further add his answer, there's an option either to install the launcher permanently on your PC/NMS or run dynamically from ASA (from flash).

Also, just to add, the XML files for the anyconnect profiles can only be customised via the ASDM.

--

Please remember to select a correct answer and rate

--
Please remember to select a correct answer and rate helpful posts
Review Cisco Networking for a $25 gift card