cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

New Hall of Fame Member-Peter PAluch

134
Views
0
Helpful
2
Replies
Highlighted
Beginner

Cisco ASA 5506-X Configuration

 

I have some queries,

 

 

We are going to implement/insstall a new Cisco ASA 5506-X Configuration device in our environment:

Requirement:

We have 1 vodafone ISP link with public IP (50.50.50.1/30- Lets assume) that would drop on outer interface of the ASA.ASA configuration
We will use /24 IP pool (assumed~ 10.1.1.0/24).

Requiremnet is simple:

**We have to connect 10 system towards lan: What would be the configuration.

**No DMZ setup in this environment.

** Any DHCP/DNS configuration is required?

I have prepared just correct me If I am wrong & also let me know all process:...

 

 

------------------------

• Internal user LAN: 10.1.1.0/24
• ASA inside IP: 10.1.1.1
• ASA outside IP (static): 50.1.1.1
• NAT: Dynamic overload (PAT) using the outside interface.
Step 1: Configure the Internal LAN interface
interface GigabitEthernet1/2
description LAN
nameif inside
security-level 100 <- Security level 100 means it’s the most trusted interface
ip address 10.1.1.1 255.255.255.0
no shut
Step 2: Configure the Outside WAN interface
interface GigabitEthernet1/1
description WAN
nameif outside
security-level 0 <- Security level 0 means it’s the least trusted interface
ip address 50.1.1.1 255.255.255.0 <- Assume we have a static public IP from the ISP
no shut
NOTE:
In case the outside interface will receive IP address dynamically via DHCP use this command:
ip address dhcp setroute
Step 3: Configure PAT using the outside interface
nat (inside,outside) source dynamic any interface <- For traffic going from inside to outside use dynamic NAT on the interface (source IPs will be replaced by the outside interface IP)
Step 4: Configure default route towards the ISP (assume default gateway is 50.1.1.2)
route outside 0.0.0.0 0.0.0.0 50.1.1.2
OPTIONAL STEPS (But Useful)
Step 5: Assign IP addresses via DHCP to internal hosts
We can configure the ASA to work as DHCP server and assign IP addresses dynamically to internal hosts.
dhcpd address 10.1.1.10-10.1.1.100 inside <- ASA will assign IPs between 10.1.1.10-100
dhcpd dns 208.67.220.220 208.67.222.222 <- ASA will assign DNS servers (these are the opendns by the way)
dhcpd enable inside
Step 6: Enable SSH access for management
hostname ASA5506
crypto key generate rsa modulus 1024
ssh 10.1.1.5 255.255.255.255 inside <- Allow SSH access only from inside host 10.1.1.5
aaa authentication ssh console LOCAL <- Enable local authentication for SSH
username admin password [STRONGPASS] privilege 15
enable password Gh4w7$-s39fg#(!
Step 7: Apply useful ACL on outside
I usually apply the following ACL on the outside interface. It has two purposes: First is to allow ICMP reply packets to come back in (when pinging from inside to outside) and second purpose is to log any denied packets hitting the firewall from outside (for alert and security purposes).
access-list OUTSIDE-IN extended permit icmp any any echo-reply
access-list OUTSIDE-IN extended deny ip any any log
access-group OUTSIDE-IN in interface outside

 

---------------------------------------

Device details:

 

 

Cisco ASA 5506 Firewall
1 ASA5506-FPWR-BUN ASA 5506-X with FirePOWER Svcs. Chassis and Subs. Bundle
2 ASA5506-K9 ASA 5506-X with FirePOWER services, 8GE, AC, 3DES/AES
3 CAB-IND-10A 10A Power cable for India
4 SF-ASA-K-9.8-K8 Cisco ASA 9.8 Software image for ASA 5506/5508/5516 series
5 SF-ASA-FP6.2-K9 Cisco FirePOWER Software v6.2 for ASA 5500-X
6 ASA5506-CTRL-LIC Cisco ASA5506 Control License
7 ASA5506-SSD ASA 5506-X SSD
8 ASA5500-ENCR-K9 ASA 5500 Strong Encryption License (3DES/AES)
9 ASA5506-PWR-AC ASA 5506-X Power Adaptor
10 L-ASA5506-TAMC= Cisco ASA5506 FirePOWER IPS, AMP and URL Licenses
11 FS-VMW-2-SW-K9 Cisco Firepower Management Center,(VMWare) for 2 devices
12 L-ASA5506-TAMC-1Y Cisco ASA5506 FirePOWER IPS, AMP and URL 1YR Subs
13 CON-ECMU-VMWSW2 SWSS UPGRADES Cisco Firepower Management Center,(VMWare) for
14 CON-SNT-ASA5506K SNTC-8X5XNBD ASA 5506-X with FirePOWER services, 8GE,

 

Everyone's tags (1)
2 REPLIES
VIP Engager

Re: Cisco ASA 5506-X Configuration

high level steps look ok, since its new no services there you can easy deploy and test any errors start tweaking the config,

by noting what is working and what is not working.

 

below guide for reference :

 

https://www.cisco.com/c/dam/global/en_au/solutions/small-business/pdfs/Cisco-ASA-Easy-Setup-Guide-updated.pdf

 

https://www.networkstraining.com/cisco-asa-5506-x-configuration-tutorial-guide/

BB
*** Rate All Helpful Responses ***
Beginner

Re: Cisco ASA 5506-X Configuration

Hi,

 

Thanks!

 

CreatePlease to create content
Content for Community-Ad

Blog-Cisco Community Designated VIP Class of 2019