I have some queries,
We are going to implement/insstall a new Cisco ASA 5506-X Configuration device in our environment:
We have 1 vodafone ISP link with public IP (184.108.40.206/30- Lets assume) that would drop on outer interface of the ASA.ASA configuration
We will use /24 IP pool (assumed~ 10.1.1.0/24).
Requiremnet is simple:
**We have to connect 10 system towards lan: What would be the configuration.
**No DMZ setup in this environment.
** Any DHCP/DNS configuration is required?
I have prepared just correct me If I am wrong & also let me know all process:...
• Internal user LAN: 10.1.1.0/24
• ASA inside IP: 10.1.1.1
• ASA outside IP (static): 220.127.116.11
• NAT: Dynamic overload (PAT) using the outside interface.
Step 1: Configure the Internal LAN interface
security-level 100 <- Security level 100 means it’s the most trusted interface
ip address 10.1.1.1 255.255.255.0
Step 2: Configure the Outside WAN interface
security-level 0 <- Security level 0 means it’s the least trusted interface
ip address 18.104.22.168 255.255.255.0 <- Assume we have a static public IP from the ISP
In case the outside interface will receive IP address dynamically via DHCP use this command:
ip address dhcp setroute
Step 3: Configure PAT using the outside interface
nat (inside,outside) source dynamic any interface <- For traffic going from inside to outside use dynamic NAT on the interface (source IPs will be replaced by the outside interface IP)
Step 4: Configure default route towards the ISP (assume default gateway is 22.214.171.124)
route outside 0.0.0.0 0.0.0.0 126.96.36.199
OPTIONAL STEPS (But Useful)
Step 5: Assign IP addresses via DHCP to internal hosts
We can configure the ASA to work as DHCP server and assign IP addresses dynamically to internal hosts.
dhcpd address 10.1.1.10-10.1.1.100 inside <- ASA will assign IPs between 10.1.1.10-100
dhcpd dns 188.8.131.52 184.108.40.206 <- ASA will assign DNS servers (these are the opendns by the way)
dhcpd enable inside
Step 6: Enable SSH access for management
crypto key generate rsa modulus 1024
ssh 10.1.1.5 255.255.255.255 inside <- Allow SSH access only from inside host 10.1.1.5
aaa authentication ssh console LOCAL <- Enable local authentication for SSH
username admin password [STRONGPASS] privilege 15
enable password Gh4w7$-s39fg#(!
Step 7: Apply useful ACL on outside
I usually apply the following ACL on the outside interface. It has two purposes: First is to allow ICMP reply packets to come back in (when pinging from inside to outside) and second purpose is to log any denied packets hitting the firewall from outside (for alert and security purposes).
access-list OUTSIDE-IN extended permit icmp any any echo-reply
access-list OUTSIDE-IN extended deny ip any any log
access-group OUTSIDE-IN in interface outside
Cisco ASA 5506 Firewall
1 ASA5506-FPWR-BUN ASA 5506-X with FirePOWER Svcs. Chassis and Subs. Bundle
2 ASA5506-K9 ASA 5506-X with FirePOWER services, 8GE, AC, 3DES/AES
3 CAB-IND-10A 10A Power cable for India
4 SF-ASA-K-9.8-K8 Cisco ASA 9.8 Software image for ASA 5506/5508/5516 series
5 SF-ASA-FP6.2-K9 Cisco FirePOWER Software v6.2 for ASA 5500-X
6 ASA5506-CTRL-LIC Cisco ASA5506 Control License
7 ASA5506-SSD ASA 5506-X SSD
8 ASA5500-ENCR-K9 ASA 5500 Strong Encryption License (3DES/AES)
9 ASA5506-PWR-AC ASA 5506-X Power Adaptor
10 L-ASA5506-TAMC= Cisco ASA5506 FirePOWER IPS, AMP and URL Licenses
11 FS-VMW-2-SW-K9 Cisco Firepower Management Center,(VMWare) for 2 devices
12 L-ASA5506-TAMC-1Y Cisco ASA5506 FirePOWER IPS, AMP and URL 1YR Subs
13 CON-ECMU-VMWSW2 SWSS UPGRADES Cisco Firepower Management Center,(VMWare) for
14 CON-SNT-ASA5506K SNTC-8X5XNBD ASA 5506-X with FirePOWER services, 8GE,
high level steps look ok, since its new no services there you can easy deploy and test any errors start tweaking the config,
by noting what is working and what is not working.
below guide for reference :