Network Security v1.0 - Module 21

Module 21: ASA Firewall
Configuration
Networking Security v1.0

(NETSEC)
Module Objectives
Module Title: ASA Firewall Configuration
Module Objective: Implement an ASA firewall configuration.
Topic Title Topic Objective

Basic ASA Firewall Configuration Explain how to configure an ASA-5506-X with FirePOWER Services.
Configure Management Settings and
Configure management settings and services on an ASA 5506-X firewall.
Services
Object Groups Explain how to configure object groups on an ASA.
ASA ACLs Use the correct commands to configure access lists with object groups on an ASA.
NAT Services on an ASA Use the correct commands to configure an ASA to provide NAT services.
Use correct commands to configure access control using the local database and
AAA
AAA server.
Service Policies on an ASA Configure service policies on an ASA
Introduction to ASDM (Optional) Note: This is an optional topic that is not assessed.
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
21.1 Basic ASA Firewall
Configuration
Basic ASA Firewall Configuration
Basic ASA Settings
The ASA command line interface (CLI) is a proprietary OS, which has a similar look
and feel to the router IOS.
For example, the ASA CLI contains command prompts similar to that of a Cisco IOS
router.
• Abbreviation of commands and keywords

• Use of the Tab key to complete a partial command
• Use of the help key (?) after a command to view additional syntax
Basic ASA Settings (Cont.)
The table contrasts common IOS router and ASA commands.
Basic ASA Settings (Cont.)
ASA CLI commands can be executed regardless of the current

configuration mode prompt.
ASA Default Configuration
The ASA 5506-X with FirePOWER Services ships with
a default configuration that, in most instances, is
sufficient for a basic SOHO deployment. Use the
configure factory-default global configuration mode
command to restore the factory default configuration.
The default hostname is ciscoasa. By default, the

privileged EXEC and console line passwords are not
configured.
These settings can be changed by:

• Manually using the CLI
• Interactively using the CLI Setup Initialization wizard
• Using the ASDM Startup wizard
ASA Interactive Setup Initialization Wizard
The wizard is displayed when there is no

startup configuration, and prompts “Pre-
configure Firewall now through
interactive prompts [yes]?” To cancel
and display the ASA default user EXEC
mode prompt, enter no. Otherwise, enter
yes or simply press Enter to accept the
default [yes]. This initiates the wizard and
the ASA interactively guides an
administrator to configure the default
settings.
21.2 Configure Management
Settings and Services
Configure Management Settings and Services
Enter Global Configuration Mode
The default ASA user prompt of ciscoasa> is displayed when an ASA configuration is erased, the
device is rebooted, and the user does not use the interactive setup wizard.
To enter privileged EXEC mode, use the enable user EXEC mode command. Initially, an ASA
does not have a password configured; therefore, when prompted, leave the enable password
prompt blank and press Enter.
The ASA date and time should be set either manually or by using Network Time Protocol (NTP).
To set the date and time, use the clock set privileged EXEC command.
Enter global configuration mode using the configure terminal privileged EXEC command.
Configure Basic Settings
An ASA must be configured with basic management settings. The table displays the commands
to accomplish this task.
ASA Command Description
hostname name • Specifies a hostname up to 63 characters.
• A hostname must start and end with a letter or digit, and have as interior
characters only letters, digits, or a hyphen.
domain-name name Sets the default domain name.

enable password password • Sets the enable password for privileged EXEC mode.
• Sets the password as a case-sensitive string of 3 to 32 alphanumeric and
special characters (not including a question mark or a space).
banner motd message Provides legal notification and configures the system to display a message-of-
the-day banner when connecting to the ASA.
key config-key password- • Sets the passphrase between 8 and 128 character long.
encryption [ new-pass [ old- • Used to generate the encryption key.
pass ]]
password encryption aes Enables password encryption and encrypts all user passwords.
Configure Basic Settings (Cont.)
To configure a banner with several lines, the

banner motd must be entered multiple times.
The privileged EXEC password is

automatically encrypted using MD5. However,
stronger encryption using AES should be
enabled. To do so, a master passphrase must
be configured, and AES encryption must be
enabled.
To change the master passphrase, use the

key config-key password-encryption
password command. To determine if
password encryption is enabled, use the
show password encryption command.
Configure Interfaces
The ASA-5506-X has eight Gigabit Ethernet interfaces that can be configured to carry traffic
from different networks. The G1/1 interface is used by convention as the outside interface and
is set to receive its IP address over DHCP by default.
The remaining interfaces, G1/2-G1/8, can be assigned to inside networks or DMZs. In addition,
a Gigabit Ethernet port is dedicated to in-band management. It is designated as
Management1/1. There are also RJ45 and USB console connections for out-of-band
management.
Configure Interfaces (Cont.)
The IP address of an interface can be configured using one of the following options:
• Manually - Commonly used to assign an IP address and mask to the interface.

• DHCP - Used when an interface is connecting to an upstream device providing DHCP services.
• PPPoE - Used when an interface is connecting to an upstream DSL device providing point-to-point connectivity over
Ethernet services
The table lists the commands to configure an IP address on an interface.
To Configure ASA Command Description

Manually ip address ip-address Assigns an IP address to the interface.
netmask
Using DHCP ip address dhcp The interface will request an IP address configuration from the upstream device.
ip address dhcp setroute Used to have the interface request and install a default route to the upstream
device.
Using PPP0E ip address pppoe Interface configuration mode command that requests an IP address from the
upstream device.
ip address pppoe setroute Same command but it also requests and installs a default route to the upstream
device.
Each interface must have a security level from 0 (lowest) to 100 (highest).
The commands below are used to configure basic interface parameters.
Verify the interface addressing and status with the show interface ip brief command as shown
below. Note that the show command does not need to be entered in User EXEC mode.

nameif if_name • Names the interface using a text string of up to 48 characters.
• The name is not case-sensitive.
• You can change the name by re-entering this command with a new value.
• Do not enter the no form, because that command causes all commands that refer to that name to be
deleted.
security-level value Sets the security level, where number is an integer between 0 (lowest) and 100 (highest).
no shutdown Activate the interface.
Interface configuration example
Configure a Default Static Route
Use the route interface-name 0.0.0.0 0.0.0.0 next-hop-ip-address command to configure a

default route.
Configure Remote Access Services
Telnet or SSH is required to manage the ASA 5506-X remotely, using the CLI. To enable the Telnet service, use
the commands listed in the table.
{passwd | password} password Sets the login password up to 80 characters in length for Telnet.
telnet { ipv4_address mask | • Identifies which inside host or network can Telnet to the ASA interface.
ipv6_address/prefix } if_name • Use the clear configure telnet command to remove the Telnet connection
telnet timeout minutes • By default, Telnet sessions left idle for five minutes are closed by the ASA.
• The command alters the default exec timeout of five minutes.
aaa authentication telnet console • Configures Telnet to refer to the local database for authentication.
LOCAL • The LOCAL keyword is case sensitive and is a predefined server tag.
clear configure telnet Removes the Telnet connection from the configuration.
Configure Remote Access Services (Cont.)
To enable SSH, use the commands that are listed in the table . Example configuration is on
the next slide
username name password password Creates a local database entry.
aaa authentication ssh console LOCAL • Configures SSH to refer to the local database for authentication.
• The LOCAL keyword is case sensitive and is a predefined server tag.
crypto key generate rsa modulus • Generates the RSA key required for SSH encryption.
modulus_size • The modulus_size (in bits) can be 512, 768, 1024, or 2048.
• A value of 2048 is recommended.
ssh { ip_address mask | • Identifies which inside host or network can SSH to the ASA interface.
ipv6_address/prefix } if_name • Multiple commands can be in the configuration.
• If the if_name is not specified, SSH is enabled on all interfaces except the outside interface.
• Use the clear configure ssh command to remove the SSH connection.
ssh version version_number • (Optional) By default, the ASA allows both SSH Version 1 (less secure) and Version 2 (more
secure).
• Enter this command in order to restrict the connections to a specific version.
ssh timeout minutes Alters the default exec timeout of five minutes.
clear configure ssh Removes the SSH connection from the configuration.
Configure Remote Access Services (Cont.)
Optional Lab - Configure ASA Basic Settings Using the CLI
In this lab, you will complete the following objectives:
• Part 1: Configure Basic Device Settings

• Part 2: Access the ASA Console and Use CLI Setup Mode to Configure Basic Settings
• Part 3: Configure Basic ASA Settings and Interface Security Levels
Configure Network Time Protocol Services
Network Time Protocol (NTP) services can be enabled on an ASA to obtain the date and time
from an NTP server. To enable NTP, use the global configuration mode commands listed in the
table. To verify the NTP configuration and status, use the show ntp status and show ntp
associations commands
ntp authenticate Enables authentication with an NTP server.
ntp trusted-key key_id Specifies an authentication key ID to be a trusted key,
which is required for authentication with an NTP server.
ntp authentication-key key_id md5 key Sets a key to authenticate with an NTP server.
ntp server ip_address [ key key_id ] Identifies an NTP server.
Configure DHCP Services
An ASA can be configured to be a DHCP server to provide IP addresses and DHCP-related
information to hosts. To enable an ASA as a DHCP server and provide DHCP services to hosts,
use the commands listed in the table. Example on the next slide
dhcpd address IP_address1 [ - • Creates a DHCP address pool in which IP_address1 is the start of the pool and
IP_address2 ] if_name IP_address2 is the end of the pool, separated by a hyphen.
• The address pool must be on the same subnet as the ASA interface.
dhcpd dns dns1 [ dns2 ] (Optional) Specifies the IP address(es) of the DNS server(s).
dhcpd lease lease_length • (Optional) Changes the lease length granted to the client which is the amount of time
in seconds that the client can use its allocated IP address before the lease expires.
• The lease_length defaults to 3600 seconds (1 hour) but can be a value from 0 to
1,048,575 seconds.
dhcpd domain domain_name (Optional) Specifies the domain name assigned to the client.
dhcpd enable if_name Enables the DHCP server service (daemon) on the interface (typically the inside interface)
of the ASA.
Configure DHCP Services (Cont.)
21.3 Object Groups
Object Groups
Introduction to Objects and Object Groups
Objects are reusable components

for use in configurations. Objects
can be defined and used in Cisco
ASA configurations in the place of
inline IP addresses, services,
names, and so on.
The ASA supports objects and

object groups, as shown in the
output in the following output from
the help facility:
Object Groups
Configure Network Objects
To create a network object, use the object network object-name global configuration
mode command. The prompt changes to network object configuration mode.
Network objects can consist of the following:

• host - a host address
• fqdn - a fully-qualified domain name
• range - a range of IP addresses
• subnet - an entire IP network or subnet
Object Groups
Configure Network Objects (Cont.)
Commands available in network object configuration mode are shown in the table.

attribute attribute-agent Defined and used to filter traffic associated with one or more
attribute-type attribute-value virtual machines.
description Enter a description of the object up to 200 characters in length.
fqdn A fully-qualified domain name such as the name of a host, such as
www.example.com. Specify v4 to limit the address to IPv4, and v6
for IPv6. If you do not specify an address type, IPv4 is assumed.
host ip-address The IPv4 or IPv6 address of a single host.

range start_add end_add A range of addresses. You can specify IPv4 or IPv6 ranges. Do not
include masks or prefixes.
subnet {ipv4_add ipv4_mask | Assigns a network subnet to the named object.
ipv6_add/ipv6_prefix}
Object Groups
Configure Network Objects (Cont.)
The example displays a sample network object configuration. Notice that the
configuration of range overwrites the previous configuration of host.
Object Groups
Configure Service Objects
The table provides an overview of common service options available. Optional keywords are
used to identify source port or destination port, or both. Operators such as eq (equal), neq
(not equal), lt (less than), gt (greater than), and range, support configuring a port for a given
protocol. If no operator is specified, the default operator is eq.
Use the no form of the command to remove a service object. To erase all service objects, use
the clear config object service command.
service protocol Specifies an IP protocol name or number.
service tcp [source operator port] Specifies that the service object is for the TCP protocol.
[destination operator port]
service udp [source operator port] Specifies that the service object is for the UDP protocol.
[destination operator port]
service icmp [icmp-type [icmp_code]] Specifies that the service object is for the ICMP protocol.
service icmp6 [icmp-type [icmp_code]] Specifies that the service object is for the ICMPv6 protocol.
Object Groups
Configure Service Objects (Cont.)
A service object name can only be associated with one protocol and port (or ports), as shown
in the show run object service output in this example.
Object Groups
Object Groups
Objects can be grouped together to create an object group. By grouping like objects
together, an object group can be used in an access control entry (ACE) instead of having
to enter an ACE for each object separately.
The following guidelines and limitations apply to object groups:

• Objects and object groups share the same name space.
• Object groups must have unique names.
• An object group cannot be removed or emptied if it is used in a command.
• The ASA does not support IPv6 nested object groups.
Object Groups
Object Groups (Cont.)
There are five types of object groups.
• Network - A network-based object group specifies a list of IP host, subnet, or network

addresses.
• User - Locally created, as well as imported Active Directory user groups can be defined for use
in features that support the identity firewall.
• Service - A service-based object group is used to group TCP, UDP, or TCP and UDP ports into
an object. The ASA enables the creation of a service object group that can contain a mix of TCP
services, UDP services, ICMP-type services, and any protocol, such as ESP, GRE, and TCP.
• ICMP-Type - The ICMP protocol uses unique types to send control messages (RFC 792). The
ICMP-type object group can group the necessary types required to meet an organization’s
security needs, such as to create an object group called ECHO to group echo and echo-reply.
• Security - A security group object group can be used in features that support Cisco TrustSec by
including the group in an extended ACL, which in turn can be used in an access rule.
Object Groups
Configure Common Object Groups
To configure a network object group, use the
object-group network grp-name global
configuration mode command. After entering
the command, add network objects to the
network group using the network-object and
group-object commands.
To configure an ICMP object group, use the

object-group icmp-type grp-name global
configuration mode command. After entering
the command, add ICMP objects to the ICMP
object group using the icmp-object and
group-object commands.
The example displays a sample network object

group configuration.
21.4 ASA ACLs
ASA ACLs
ASA ACLs
These are the similarities between ASA ACLs and IOS ACLs:
• ACLs are made up of one or more ACEs. ACEs are applied to a protocol, a source and
destination IP address, a network, or the source and destination ports.
• ACLs are processed sequentially from top down.
• A criteria match will cause the ACL to be exited.
• There is an implicit deny any at the bottom.
• Remarks can be added per ACE or ACL.
• Only one access list can be applied per interface, per protocol, per direction.
• ACLs can be enabled/disabled based on time ranges.
These the differences between ASA ACLs and IOS ACLs:

• The ASA uses a network mask (e.g., 255.255.255.0) and not a wildcard mask (e.g.
0.0.0.255).
• ACLs are always named instead of numbered.
• By default, interface security levels apply access control without an ACL configured.
ASA ACLs
Types of ASA ACL Filtering
ACLs on a security appliance can be used not only to filter packets that are passing through
the appliance but also to filter packets destined for the appliance.
• Through-traffic filtering - Traffic passing through the ASA from one interface to another
interface. The configuration is completed in two steps: configure the ACL, then apply the
ACL to an interface.
• To-the-box-traffic filtering - management access rule that applies to traffic that

terminates at the ASA.
ASA devices differ from their router counterparts because of interface security levels. By
default, security levels apply access control without an ACL configured.
ASA ACLs
Types of ASA ACL Filtering (Cont.)
ASA devices differ from their router counterparts because of interface security levels. By
default, security levels apply access control without an ACL configured.
ASA ACLs
However, a host from an outside interface with security level 0 cannot access the inside
higher-level interface, as shown below.
ASA ACLs
A from an outside interface with security

level 0 cannot access the inside higher-
level interface, as shown in the figure.
Use the same-security-traffic permit

inter-interface to enable traffic between
interfaces with the same security level.
Use the same-security-traffic permit
intra-interface command to allow traffic
to enter and exit the same interface
ASA ACLs
Types of ASA ACLs
The ASA supports five types of access lists:
• Extended access list - The most common type of ACL.
• Standard access list - Unlike IOS where a standard ACL identifies the source
host/network, ASA standard ACLs are used to identify the destination IP addresses.
Standard access lists cannot be applied to interfaces to control traffic.
• EtherType access list - An EtherType ACL can be configured only if the security
appliance is running in transparent mode.
• Webtype access list - Used for filtering for clientless SSL VPN traffic. These ACLs can
deny access based on URLs or destination addresses.
• IPv6 access list - Used to determine which IPv6 traffic to block and which traffic to
forward at router interfaces.
Use the help access-list privileged EXEC command to display the syntax for all of the ACLs
supported on an ASA platform.
ASA ACLs
Types of ASA ACLs (Cont.)
The table provides examples of the uses of extended ACLs.
ACL Use Description

Control network access for IP traffic The ASA does not allow any traffic from a lower security interface to a higher security
interface unless it is explicitly permitted by an extended access list.
Identify traffic for AAA rules AAA rules use access lists to identify traffic.
Identify addresses for NAT Policy NAT lets you identify local traffic for address translation by specifying the source
and destination addresses in an extended access list.
Establish VPN access Extended access list can be used in VPN commands.
Identify traffic for Modular Policy Framework (MPF) • Access lists can be used to identify traffic in a class map, which is used for features
that support MPF.
• Features that support MPF include TCP, general connection settings, and inspection.
ASA ACLs
Types of ASA ACLs (Cont.)
The table provides examples of uses of standard ACLs.

ACL Use Description
Identify OSPF destination network in route maps Standard access lists include only the destination address.
It can be used to control the redistribution of OSPF routes.
VPN filters Filter traffic for LAN-to-LAN (L2L), Cisco VPN Client, and the Cisco
AnyConnect Secure Mobility Client traffic.
The table provides examples of uses of IPv6 ACLs .
ASA ACLs
Syntax for Configuring an ASA ACL
IOS and ASA ACLs have

similar elements, but
some options vary with
the ASA.
There are many options

that can be used with
ACLs. However, for most
needs, a more useful and
condensed version of the
syntax is shown in the
figure.
ASA ACLs
Syntax for Configuring an ASA ACL (Cont.)
The table describes elements of an ASA ACL.
Element Description
ACL id The name of the ACL.
Action Can be permit or deny.
Protocol number - Source Can be IP for all traffic, or the name / IP protocol number (0-250) including icmp ( 1), tcp ( 6), udp ( 17), or a protocol
object-group.
Source • Identifies the source and can be any, a host, a network, or a network object group.
• For to-the-box-traffic filtering, the interface keyword is used to specify the source interface of the ASA.
Source port operator • (Optional) Operand is used in conjunction with the source port.
• Valid operands include lt (less than), gt (greater than), eq (equal), neq (not equal), and range for an inclusive range.
Source port (Optional) Can be the actual TCP or UDP port number, select port names, or service object group.
Destination • Identifies the destination and like the source, it can be any, a host, a network, or a network object group.
• For to-the-box-traffic filtering, the interface keyword is used to specify the destination interface of the ASA.
Destination port operator • (Optional) Operand is used in conjunction with the destination port.
• Valid operands are the same as the source port operands.
Destination port (Optional) Can be the actual TCP or UDP port number, select port names, or service object group.
Log Can set elements for syslog including severity level and log interval.
Time range (Optional) Specify a time range for the ACE. © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 45
ASA ACLs
Syntax for Applying an ASA ACL
The example displays the command syntax and parameter description for applying the ACL to an
interface using the access-group command syntax. To verify ACLs, use the show access-list and
show running-config access-list commands. To erase a configured ACL, use the clear configure
access-list id command.
Syntax Description
access-group Keyword used to apply an ACL to an interface.
id The name of the actual ACL to be applied to an interface.
in The ACL will filter inbound packets.
out The ACL will filter outbound packets.
interface Keyword to specify the interface to which to apply the ACL.
if_name The name of the interface to which to apply an ACL.
per-user-override Option that allows downloadable ACLs to override the entries on the interface ACL.
control-plane Keyword to specify whether the applied ACL analyzes traffic destined to ASA for management purposes.
ASA ACLs
ASA ACL Examples
Example 1
•ACL allows all hosts on the inside network to go through the ASA.
•By default, all other traffic is denied unless explicitly permitted.
Example 2
•ACL prevents hosts on 192.168.1.0/24 from accessing the 209.165.201.0/27 network.
•Internal hosts are permitted access to all other addresses.
•All other traffic is implicitly denied.
ASA ACLs
ACLs and Object Groups
Consider the sample topology in the figure in which

access from two trusted, remote hosts, PC1 and
PC2, should be allowed to the two internal for web
and email servers. All other traffic attempting to
pass through the ASA should be dropped and
logged.
The ACL would require two ACEs for each PC to

accomplish the task. The implicit deny any drops
and logs any packets that do not match email or
web services. As shown in the example, ACLs
should always be thoroughly documented using the
remark
To verifycommand.
the ACL syntax, use the show running-config access-list and show access-list commands, as
shown in the example.
ASA ACLs
ACL Using Object Groups Examples
Object grouping is a way to group similar items together to reduce the number of ACEs.
Object grouping can cluster network objects into one group and outside hosts into another, as
shown in the following syntax. The security appliance can also combine both TCP services into
a service object group.
ASA ACLs
ACL Using Object Groups Examples (Cont.)
This example shows how to

configure the following three
object groups:
• NET-HOSTS - Identifies two
external hosts.
• SERVERS - Identifies
servers providing email and
web services.
• HTTP-SMTP - Identifies
SMTP and HTTP protocols.
21.5 NAT Services on an ASA
NAT Services on an ASA
ASA NAT Overview
NAT can be deployed using one of the methods:
• Inside NAT
• Outside NAT
• Bidirectional NAT
Specifically, the Cisco ASA supports the following common types of NAT:
• Dynamic PAT - This is a many-to-one translation. This is also known as NAT with overload. Usually, an
inside pool of private addresses overloading an outside interface or outside address.
• Static NAT - This is a one-to-one translation. Usually an outside address mapping to an internal server.
• Policy NAT - Policy-based NAT is based on a set of rules.
• Identity NAT - A real address is statically translated to itself, essentially bypassing NAT.
Configure Dynamic NAT
To configure network object dynamic NAT, two network objects are required:
• Identify the pool of public IP addresses with the range or subnet network object
commands.
• Identify the internal addresses to be translated with the range or subnet network
object commands.
The two network objects are then bound together using nat [(real_if_name,mapped_if_name)]
dynamic mapped_obj [interface [ipv6]] [dns] network object command. The real_if_name is
the prenat interface. The mapped_if_name is the postnat interface. Notice that there is no
space after the comma in the command syntax.
Configure Dynamic NAT (Cont.)
In this dynamic NAT example, the inside hosts on the 192.168.1.0/27 network will be
dynamically assigned a range of public IP address from 209.165.200.240 to
209.165.200.248.
The example displays a sample dynamic NAT
configuration to accomplish this task. The PUBLIC
network object identifies the public IP addresses to be
translated to while the DYNAMIC-NAT object
identifies the internal addresses to be translated and
is bound to the PUBLIC network object with the nat
command.
The following example shows how to allow inside hosts to ping outside hosts .
To verify the network address translation, use show xlate, show nat, and
show nat detail commands.
Configure Dynamic PAT
To enable inside hosts to overload the outside address, use nat [(real_if_name,mapped_if_name)]
dynamic interface command, as shown in the example.
Configure Static NAT
Static NAT is configured when an inside address is mapped to an outside address. For
instance, static NAT can be used when a server must be accessible from the outside.
To configure static NAT, use the nat [(real_if_name,mapped_if_name)] static mapped-inline-

host-ip network object command. The example configuration is on the next slide.
Configure Static NAT (Cont.)
21.6 AAA
AAA
AAA Review
Authentication, authorization, and accounting (AAA) provides an extra level of protection and user
control. Using AAA only, authenticated and authorized users can be permitted to connect through
the ASA.
Authorization controls access, per user, after users are authenticated. Authorization controls the
services and commands that are available to each authenticated user.
Accounting tracks traffic that passes through the ASA, enabling administrators to have a record of
user activity.
AAA
Local Database and Servers
Use the username name password password [privilege priv-level] command to create local user
accounts. To erase a user from the local database, use the clear config username [name]
command. To view all user accounts, use the show running-config username command.
To configure a TACACS+ or RADIUS server, use the commands listed in the table.
aaa-server server-tag protocol protocol Creates a TACACS+ or RADIUS AAA server group.
aaa-server server-tag [(-interface name )] Configures a AAA server as part of a AAA server group.
host {server-ip | name } [ key ] Also configures AAA server parameters that are host-specific.
The example shows configuration of a AAA TACACS+ server on an ASA 5506-X.
AAA
AAA Configuration
To authenticate users who access the ASA CLI over a console (serial), SSH, HTTPS
(ASDM), or Telnet connection, or to authenticate users who access privileged EXEC
mode using the enable command, use the aaa authentication enable console
command in global configuration mode.
AAA
AAA Configuration (Cont.)
The example provides a sample AAA configuration that is then verified and tested.
21.7 Service Policies on an
ASA
Service Policies on an ASA
Overview of MPF
A Modular Policy Framework (MPF) configuration defines a set of rules for applying firewall features,
such as traffic inspection and QoS, to the traffic that traverses the ASA. MPF allows granular
classification of traffic flows, which enables the application of different advanced policies to different
flows.
Cisco MPF uses three configuration objects to define modular, object-oriented, hierarchical policies:
• Class Maps - What are we looking for?
• Policy Maps - What shall we do with it?
• Service Policy - Where do we do it?
Overview of MPF (Cont.)
There are four steps to configure MPF on an ASA:
Step 1. (Optional) Configure extended ACLs to identify granular traffic that can be specifically
referenced in the class map.
Step 2. Configure the class map to identify traffic.
Step 3. Configure a policy map to apply actions to those class maps.
Step 4. Configure a service policy to attach the policy map to an interface.
Configure Class Maps
To create a class map and

enter class-map configuration
mode, use the class-map
class-map-name global
configuration mode command.
Next, traffic to match should

be identified using the match
any (matches all traffic) or
match access-list access-list-
name commands to match
traffic specified by an
extended access list.
Define and Activate a Policy
Use the policy-map policy-map-name global configuration mode command, to apply actions
to the Layer 3 and 4 traffic.
In policy-map configuration mode, config-pmap, use the following commands:

• description - Add description text.
• class class-map-name - Identify a specific class map on which to perform actions.
These are the three most common commands available in policy map configuration mode:
• set connection - Sets connection values.
• inspect - Provides protocol inspection servers.
• police - Sets rate limits for traffic in this class.
To activate a policy map globally on all interfaces or on a targeted interface, use the service-
policy policy-map-name [ global | interface intf ] global configuration mode command to
enable a set of policies on an interface.
Define and Activate a Policy (Cont.)
The example configures the policy map. Its associated service policy is applied globally.
Packet Tracer - Configure ASA Basic Settings and Firewall Using the
CLI
In this comprehensive Packet Tracer activity, you will complete the following objectives:
• Verify connectivity and explore the ASA.

• Configure basic ASA settings and interface security levels using the CLI.
• Configure routing, address translation, and inspection policy using the CLI.
• Configure DHCP, AAA, and SSH.
• Configure a DMZ, Static NAT, and ACLs.
Optional Lab - Configure ASA Network Services, Routing, and DMZ with
ACLs Using CLI
In this comprehensive lab, you will complete the following objectives:
• Part 1: Configure Basic Device Settings
• Part 2: Configure Routing, Address Translation, and Inspection Policy Using the
CLI
• Part 3: Configure DHCP, AAA, and SSH
• Part 4: Configure DMZ, Static NAT, and ACLs
21.8 ASA Firewall
Configuration Summary
ASA Firewall Configuration Summary
What Did I Learn in this Module?
• The ASA CLI contains command prompts similar to that of a Cisco IOS router.
• Many commands are similar to those in other versions of IOS, however many differences also exist.
• The ASA 5506-X with FirePOWER Services ships with a default configuration that, in most instances, is
sufficient for a basic SOHO deployment.
• The ASA 5506-X has eight Gigabit Ethernet interfaces that can be configured to carry traffic on different
Layer 3 networks. The G1/1 interface is frequently configured as the outside interface to the ISP.
• Basic configuration of interfaces includes IP addressing, naming, and setting the security level.
• If the interface is configured with DHCP, a default route from an upstream device can automatically be
configured on the ASA. Otherwise, a default route must be manually configured.
• Objects make it easy to maintain configurations because an object can be modified in one place and the
change will be reflected in all other places that are referencing it.
• Network objects can include host addresses, subnets, ranges of addresses, and FQDNs.
• Service objects can refer to different network services and protocols.
• Object groups are collections of objects that are related.
• Network object groups can also be used in configurations including ACLs and NAT.
What Did I Learn in this Module? (Cont.)
• ASA ACLs differ from IOS ACLs in that they use a network mask (e.g., 255.255.255.0) instead of a wildcard
mask (e.g. 0.0.0.255).
• ASA ACLs must be grouped with an interface in order to go into effect. Object groups can be used with ASA
ACLs to limit the number of ACEs that are required in a list.
• There are three NAT deployment methods for the ASA: inside NAT, outside NAT, and bidirectional NAT.
• The ASA supports four types of NAT: dynamic NAT with overload, static NAT, policy NAT, and identity NAT.
• Cisco ASAs can be configured to authenticate access using a local user database or an external server for
authentication or both.
• A Modular Policy Framework (MPF) configuration defines a set of rules for applying firewall features, such
as traffic inspection and QoS, to the traffic that traverses the ASA.
• Class maps are used to identify the traffic that will be processed by MPF.
• Policy maps define what will be done to the identified traffic.
• Service policies identify which interfaces the policy map should be applied to.
New Terms and Commands
• configure factory-default • telnet { ipv4_address mask | ipv6_address/prefix }
• domain-name name if_name
• key config-key password-encryption [ new-pass • telnet timeout minutes
[ old-pass ]] • aaa authentication telnet console LOCAL
• password encryption aes • clear configure telnet
• show password encryption • ssh { ip_address mask | ipv6_address/prefix } if_name
• ip address dhcp setroute • ssh version version_number
• ip address pppoe • ssh timeout minutes
• ip address pppoe setroute • clear configure ssh
• nameif if_name • Network Time Protocol (NTP)
• security-level value • ntp authenticate
• route interface-name 0.0.0.0 0.0.0.0 next-hop-ip- • ntp trusted-key key_id
address • ntp authentication-key key_id md5 key
• {passwd | password} password • ntp server ip_address [ key key_id ]
• dhcpd address IP_address1 [ -IP_address2 ] • same-security-traffic permit inter-interface
if_name • same-security-traffic permit intra-interface
• dhcpd dns dns1 [ dns2 ] • access-group id { in | out } interface if_name [ per-user-
• dhcpd lease lease_length override | control-plane ]
• dhcpd domain domain_name • access-list id extended { deny | permit } protocol
• dhcpd enable if_name object-group source_net-obj-grp_id object-group
dest_net-obj-grp_id object-group service-obj-grp_id
• object groups
• nat [(real_if_name,mapped_if_name)] dynamic
• object network object-name mapped_obj [interface [ipv6]] [dns]
• object service object-name • show xlate
• show run object service • show nat
• object-group network grp-name • show nat detail
• object-group icmp-type grp-name • nat [(real_if_name,mapped_if_name)] static mapped-
• Through-traffic filtering inline-host-ip
• To-the-box-traffic filtering • aaa-server server-tag protocol destined
• aaa-server server-tag [(if_name)] host {server-ip | name } [ key ]
• username name password password [privilege priv-level]
• clear config username [name]
• Modular Policy Framework (MPF)
• class-map class-name
• policy-map policy-name
• service-policy serv-name [ global | interface if-name ]

Network Security v1.0 - Module 21

Uploaded by

Copyright:

Available Formats

Network Security v1.0 - Module 21

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Network Security v1.0 - Module 21

Uploaded by

Copyright:

Available Formats

Module 21: ASA Firewall

Networking Security v1.0

Module Objective: Implement an ASA firewall configuration.

Topic Title Topic Objective

• Abbreviation of commands and keywords

The table contrasts common IOS router and ASA commands.

ASA CLI commands can be executed regardless of the current

The default hostname is ciscoasa. By default, the

These settings can be changed by:

The wizard is displayed when there is no

domain-name name Sets the default domain name.

To configure a banner with several lines, the

The privileged EXEC password is

To change the master passphrase, use the

• Manually - Commonly used to assign an IP address and mask to the interface.

The table lists the commands to configure an IP address on an interface.

To Configure ASA Command Description

The commands below are used to configure basic interface parameters.

ASA Command Description

Use the route interface-name 0.0.0.0 0.0.0.0 next-hop-ip-address command to configure a

In this lab, you will complete the following objectives:

• Part 1: Configure Basic Device Settings

Objects are reusable components

The ASA supports objects and

Network objects can consist of the following:

ASA Command Description

host ip-address The IPv4 or IPv6 address of a single host.

The following guidelines and limitations apply to object groups:

• Network - A network-based object group specifies a list of IP host, subnet, or network

To configure an ICMP object group, use the

The example displays a sample network object

These the differences between ASA ACLs and IOS ACLs:

• To-the-box-traffic filtering - management access rule that applies to traffic that

A from an outside interface with security

Use the same-security-traffic permit

ACL Use Description

The table provides examples of uses of standard ACLs.

The table provides examples of uses of IPv6 ACLs .

IOS and ASA ACLs have

There are many options

Consider the sample topology in the figure in which

The ACL would require two ACEs for each PC to

This example shows how to

To configure static NAT, use the nat [(real_if_name,mapped_if_name)] static mapped-inline-

The example shows configuration of a AAA TACACS+ server on an ASA 5506-X.

• Policy Maps - What shall we do with it?

• Service Policy - Where do we do it?

Step 2. Configure the class map to identify traffic.

Step 3. Configure a policy map to apply actions to those class maps.

Step 4. Configure a service policy to attach the policy map to an interface.

To create a class map and

Next, traffic to match should

In policy-map configuration mode, config-pmap, use the following commands:

• Verify connectivity and explore the ASA.

You might also like