Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3294
Views
0
Helpful
5
Replies

ASA 5516-X Firewall

Go to solution
Senbonzakura
Level 1
Level 1

‎04-09-2020 08:51 PM

Greetings, would anyone who has personal experience configuring a ASA 5516-X Firewall be able to give me their input? What features are turned on by default when it comes to security along with layer-6 security and what features are not on but you recommend turning on and why? Some advice would be appreciated.

 

Also, what ports should be blocked that aren't by default. This is a basic configuration, firewall to switch with multiple VLANS for data and voice.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Senbonzakura

‎04-10-2020 09:39 AM

Just follow that quick start guide.

Make sure to have your Protect and Control license PAK to redeem and license the Firepower service module via ASDM. Other than the initial bootstrap configuration, all Firepower configuration must be done via the GUI.

A simple "Balanced Security and Connectivity" intrusion policy is sufficient to 90% of the single firewall use cases.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎04-09-2020 09:34 PM - edited ‎04-09-2020 09:35 PM

When configuring a factory-fresh ASA 5516-X not much is done by default. You have to setup the interfaces yourself. Once you do that - assuming, for instance, an inside and outside interface - all traffic will be allowed to pass from inside to outside and no traffic that's not part of an already established connection will be blocked from outside to inside.

If you've setup multiple interfaces with the same security level, traffic will not pass between them unless allowed.

If there's a Firepower service module that is where we normally configure higher layer (L4+) inspections. The ASA by itself only has a set of very basic protocol conformance inspections.

0 Helpful

Go to solution
Senbonzakura
Level 1
Level 1
In response to Marvin Rhoads

‎04-09-2020 10:04 PM

Thank you for clearing that up, now is IDS/IPS something that is done automatically or does that have to be configured? I know it's probably a silly question but I'm trying to get a better understanding on it.

 

This firewall is using the firepower service module, how would I go about configuring the L4+inspection (pros and cons to doing so) and any recommendations?

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Senbonzakura

‎04-10-2020 01:20 AM

It has to be done via manual setup. I guess you are doing all the setup via cli or ASDM?

The service module is managed either via ASDM ("local management") or via a Firepower Management Center (FMC) server.

If using ASDM, please check out this quick start guide:

https://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/sfr/firepower-qsg.html#pgfId-139878

 

0 Helpful

Go to solution
Senbonzakura
Level 1
Level 1
In response to Marvin Rhoads

‎04-10-2020 08:02 AM

I'll be doing everything through CLI but I did plan on using the online GUIs for monitoring it and making quick changes. I've configured the server for ASDM before so I know how to go about that but the firepower module that will be new for me.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Senbonzakura

‎04-10-2020 09:39 AM

Just follow that quick start guide.

Make sure to have your Protect and Control license PAK to redeem and license the Firepower service module via ASDM. Other than the initial bootstrap configuration, all Firepower configuration must be done via the GUI.

A simple "Balanced Security and Connectivity" intrusion policy is sufficient to 90% of the single firewall use cases.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card