09-16-2008 04:35 PM - edited 03-11-2019 06:45 AM
Hello I just unboxed my new ASA 5510. I have the task to configure this and install onto my network. Currently we are running a watchguard firewall x700. I will be replacing this with the ASA.
I will be swaping this out and putting the new asa in. Knowing this I need to set up and preconfigure the ASA like I have my firewall currently in production. This will be my first setup on an ASA.
Configuring and setting up for security I can use some guidance on. I have all the policies/configuration from the watchguard box.
If someone can help with setup/configuration and best way to handle the swap i would appreciate input.
09-16-2008 05:16 PM
Hi John,
You can setup ASA in 5 steps:
Step1 : Name the interface
interface Ethernet0
nameif outside
interface Ethernet1
nameif inside
Step 2: Define security levels to interfaces
interface Ethernet0
security-level 0
interface Ethernet1
security-level 100
Step 3: Provide ip addresses to the interfaces:
interface Ethernet0
ip address 20.20.20.17 255.255.255.248
interface Ethernet1
ip address 192.168.2.1 255.255.255.0
Step 4:Enable NAT/Global to allow the traffic to go outside from inside.
nat(inside)1 192.168.2.0 255.255.255.0
or
nat (inside) 1 0.0.0.0 0.0.0.0
global(outside)1 outside
Step 5: Define a Route
route (outside) 0.0.0.0 0.0.0.0
To allow access to the host/network in the inside zone :
you will have to define a Static NAT and permit in access-list that is bound to outside interface . For example :
static (inside,outside) 209.164.3.5 192.168.2.57 netmask 255.255.255.255
access-list smtp extended permit tcp any host 209.164.3.5 eq smtp
access-group smtp in interface outside
HTH
Saju
Please rate if it helps
09-16-2008 05:41 PM
Saju,
Thanks for your response. I have access-list on the router on the core network. Will i have to configure access-list on the ASA also?
At the moment i have an external and internal interfaces on the watchguard firewall. I have about 10 static routes for communications with a couple of remote offices over a mpls circuit and some vlans. I have 10 policies configured for external OWA, SSL, Sharepoint, ping, etc. I guess i need to configure all of that on this new ASA. Have any recommendations on this?
So if i go with steps 1 name the interfaces, step2 assign security-levels to the interfaces. What I read is that the WAN should be set to 0 and inside LAN should be set to 100, what are those numbers mean?
Step 3 my wan ethernet 0 will be the external IP that's on my firewall and ethernet 1 will be the internal private IP that's on the firewall. step 4 enable NAT and step 5 define a route.
I will also need to add all of those static routes also.
Once again thanks for your input.
09-18-2008 10:54 AM
0 and 100 define the security level for the interface. The higher the number, the more trusted it is, thus the reason you would use the interface with a security level of 100 to be your inside interface.
Yes whatever you have setup on your current firewall you will have to add to the asa.
So routes and access-list
you can set up a default route that looks like
route outside 0.0.0.0 0.0.0.0 1.2.3.4
and use this as a template to create the rest of your routes.
For example if you access-list is permitting http, https, and ftp you would create an access-list that looks something like this,
access-list acl_in permit ip any any eq 80
access-list acl_in permit ip any any eq 443
access-list acl_in permit ip any any eq ftp
.
There is an implcit deny all but it is good practice to define your own..so
access-list acl_in deny ip any any.
THis will be at the very end of your config.
After you create the access-list you will need to bind it to the interface that you sre creating it for. So with the one i just created you would bind it to the inside interface.
access-group acl_in in interface inside (or whatever the nameif name you choose is)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide