Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1843
Views
0
Helpful
6
Replies

ASA Firewall

Senbonzakura
Level 1
Level 1

‎04-04-2020 11:08 AM

I currently am using a ASA 5510 Firewall and ASA 5516-X, by defaut what security settings aren't enabled that I should have enabled in any network configuration? Also, by Default is IPS/IDS enabled or is this something that needs to be configured? Any advice would be appreciated and any recommendations as well.

0 Helpful
6 Replies 6

Sheraz.Salim
VIP
VIP

‎04-04-2020 11:47 AM

cisco 5510 firewall gone EOL very long ago. whereas 5516-x also gone EOL having said that 5516 does support firepower feature. firepower is a next gen firewall (doing an application layer inspection) compare to cisco old gen firewalls.

few i have a choice between 5510 and 5516 I would stick with 5516 as it has firepower features. you need to get a lic in place in order to use the firepower services it come with 1 year, 3 year and 5 years.

 

now coming to your question what security setting you need enable it depends on your setup. you want legacy layer 4 security in that case 5510 and 5516 both can do the same for you. but firepower runs only 0n 55xx-X series models.

please do not forget to rate.
0 Helpful

Senbonzakura
Level 1
Level 1
In response to Sheraz.Salim

‎04-04-2020 12:28 PM

Yes, I do currently have a lic for the 5516-X. Are all features by default active do is this something you manually have to accomplish? We are going very simple here, On one port of the firewall, we have a guest-WiFi then on another port you are looking at the main WiFi along with the LAN network, and another port going to a different switch is the Voice. They're al segmented, with that being said. What is recommended for that type of setup? Generally speaking that is.

0 Helpful

Sheraz.Salim
VIP
VIP
In response to Senbonzakura

‎04-04-2020 12:59 PM

first think first if you are concern about security element of your network and want to use layer 7 inspection.  login into 5516-x and give a command

"show module sfr" if you have a sfr install on the unit.

are you asking for a best practice configuration for this setup?

do you want me to write a basic script?

please do not forget to rate.
0 Helpful

Senbonzakura
Level 1
Level 1
In response to Sheraz.Salim

‎04-04-2020 01:56 PM

I won't forget.

 

Yes a basic configuration would be nice for the best security practices, right now I don't have any bad habits when it comes to configuring things so if someone could show me the right way from the beginning it would be appreciated.

0 Helpful

Sheraz.Salim
VIP
VIP
In response to Senbonzakura

‎04-04-2020 03:27 PM

do you have a topology diagram and ip addresses?

if you can forward it this would be helpful to understand and write a basic config.

please do not forget to rate.
0 Helpful

Senbonzakura
Level 1
Level 1
In response to Sheraz.Salim

‎04-04-2020 05:25 PM

ASA# show run

: Saved

:

: Serial Number: JMX0949K0DM

: Hardware:   ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1600 MHz

:

ASA Version 9.1(7)32

!

hostname ASA

domain-name www.domain.com

enable password 8Ry2YjIyt7RRXU24 encrypted

names

!

interface Ethernet0/0

 description WAN

 nameif outside

 security-level 0

 ip address dhcp setroute

!

interface Ethernet0/1

 description Inside-Ruckus

 nameif Inside-Ruckus

 security-level 100

 ip address 192.168.50.1 255.255.255.0

!

interface Ethernet0/2

 description ISR

 nameif Inside-ISR

 security-level 100

 ip address 192.168.200.1 255.255.255.252

!

interface Ethernet0/3

 shutdown

 no nameif

 no security-level

 no ip address

!

interface Management0/0

 nameif management

 security-level 0

 ip address 192.168.100.1 255.255.255.0

!

ftp mode passive

dns server-group DefaultDNS

 domain-name www.domain.com

object network inside-subnet

 subnet 192.168.50.0 255.255.255.0

object network obj_isr

 subnet 192.168.200.0 255.255.255.252

object network obj_vlan80

 subnet 192.168.80.0 255.255.255.0

object network obj_vlan250

 subnet 192.168.250.0 255.255.255.0

pager lines 24

mtu outside 1500

mtu Inside-Ruckus 1500

mtu Inside-ISR 1500

mtu management 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

!

object network inside-subnet

 nat (Inside-Ruckus,outside) dynamic interface

object network obj_isr

 nat (Inside-ISR,outside) dynamic interface

object network obj_vlan80

 nat (Inside-ISR,outside) dynamic interface

object network obj_vlan250

 nat (Inside-ISR,outside) dynamic interface

route Inside-ISR 192.168.80.0 255.255.255.0 192.168.200.2 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 192.168.100.2 255.255.255.255 management

no snmp-server location

no snmp-server contact

no service password-recovery

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet timeout 5

ssh stricthostkeycheck

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

dhcpd address 192.168.50.10-192.168.50.254 Inside-Ruckus

dhcpd dns 75.75.75.75 75.75.76.76 interface Inside-Ruckus

dhcpd enable Inside-Ruckus

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns migrated_dns_map_1

 parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns migrated_dns_map_1

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

 profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:c0d1bad779dbd0baebaa348eabcde24b

: end

 
 
heres just a basic configuration that ill be doing on the ASA5516-X shortly. Execpt, I won't be using an ISR connected to a switch for VLAN traffic. I'm not sure how to setup encap dotq1 on the firewall so I just did it from an ISR instead, maybe you could help me with that.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card