Don R. Crawley, CCNA-certified, is president and chief technologist at soundtraining.net, the Seattle training firm specializing in business skills and technical training programs for IT professionals. He works with I.T. pros to enhance their work, lives, and careers. For information about soundtraining.net's training seminars for the Cisco ASA Security Appliance, please click here.
Copyright (c) 2008 Don R. Crawley
There are literally thousands of commands and sub-commands available to configure a Cisco security appliance. As you gain knowledge of the appliance, you will use more and more of the commands. Initially, however, there are just a few commands required to configure basic functionality on the appliance. Basic functionality is defined as allowing inside hosts to access outside hosts, but not allowing outside hosts to access the inside hosts. Additionally, management must be allowed from at least one inside host. Here are eight basic commands:
**interface**
The interface command identifies either the hardware interface or the VLAN interface that will be configured. Once in interface configuration mode, you can assign physical interfaces to switchports and enable them (turn them on) or you can assign names and security levels to VLAN interfaces.
**nameif**
The nameif command gives the interface a name and assigns a security level. Typical names are outside, inside, or DMZ.
**security-level**
Security levels are used by the appliance to control traffic flow. Traffic is permitted to flow from interfaces with higher security levels to interfaces with lower security levels, but not the other way. Access-lists must be used to permit traffic to flow from lower security levels to higher security levels. Security levels range from 0 to 100. The default security level for an outside interface is 0. For an inside interface, the default security level is 100.
In the following sample configuration, the interface command is first used to name the inside and outside VLAN interfaces, then the DMZ interface is named and a security level of 50 is assigned to it.
ciscoasa(config)# interface vlan1
ciscoasa(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ciscoasa(config-if)# interface vlan2
ciscoasa(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
ciscoasa(config-if)#interface vlan3
ciscoasa(config-if)# nameif dmz
ciscoasa(config-if)# security-level 50
**ip address**
The ip address command assigns an IP address to a VLAN interface either statically or by making it a DHCP client. With modern versions of security appliance software, it is not necessary to explicitly configure default subnet masks. If you are using non-standard masks, you must explicitly configure the mask, but otherwise, it's not necessary.
In the following sample configuration, an IP address is assigned to VLAN 1, the inside interface.
ciscoasa(config-if)# interface vlan 1
ciscoasa(config-if)# ip address 192.168.1.1
**switchport access**
The switchport access command on the ASA 5505 security appliance assigns a physical interface to a logical (VLAN) interface. In the next example, the interface command is used to identify physical interfaces, assign them to switchports on the appliance, and enable them (turn them on) through the use of the "no shutdown" statement.
ciscoasa(config-if)# interface ethernet 0/0
ciscoasa(config-if)# switchport access vlan 2
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# interface ethernet 0/1
ciscoasa(config-if)# switchport access vlan 1
ciscoasa(config-if)# no shutdown
**nat**
The nat command enables network address translation on the specified interface for the specified subnet.
In this sample, configuration, NAT is enabled on the inside interface for hosts on the 192.168.1.0/24 subnet. The number "1" is the NAT I.D. which will be used by the global command to associate a global address or pool with the inside addresses. (Note: NAT 0 is used to prevent the specified group of addresses from being translated.)
ciscoasa(config)# nat (inside) 1 192.168.1.0 255.255.255.0
**global**
The global command works in tandem with the nat command. It identifies the interface (usually outside) through which traffic from nat'ed hosts (usually inside hosts) must flow. It also identifies the global address which nat'ed hosts will use to connect to the outside world.
In the following sample, the hosts associated with NAT I.D. 1 will use the global address 12.3.4.5 on the outside interface.
ciscoasa(config)# global (outside) 1 12.3.4.5
In this additional example of the use of the "global" command, the interface statement tells the firewall that hosts associated with NAT I.D. 1 will use the DHCP-assigned global address on the outside interface.
ciscoasa(config)# global (outside) 1 interface
**route**
The route command, in its most basic form, assigns a default route for traffic, typically to an ISP's router. It can also be used in conjunction with access-lists to send specific types of traffic to specific hosts on specific subnets.
In this sample configuration, the route command is used to configure a default route to the ISP's router at 12.3.4.6. The two zeroes before the ISP's router address are shorthand for an IP address of 0.0.0.0 and a mask of 0.0.0.0. The statement outside identifies the interface through which traffic will flow to reach the default route.
ciscoasa(config-if)# route outside 0 0 12.3.4.6
The above commands create a very basic firewall, but frankly, using a sophisticated device such as a Cisco PIX or ASA security appliance to perform such basic firewall functions is overkill. Other commands to use include hostname to identify the firewall, telnet or SSH to allow remote administration, DHCPD commands to allow the firewall to assign IP addresses to inside hosts, and static route and access-list commands to allow internal hosts such as DMZ Web servers or DMZ mail servers to be accessible to Internet hosts.
- Related Videos
- Related Articles
- Ask / Related Q&A
How to Maintain the Life of Your Laptop Battery
By: Matt Helphrey | 08/01/2010Laptop batteries aren't known to have a long life span. Here are a few tips you can use to make sure you get the most out of your laptop battery.
Farmville Tips and Hints – Fast Harvesting and Machinery
By: Sarah Corner | 08/01/2010This article will discuss the how to perfrom fast farming as well as the best machinery to use in the Facebook application, Farmville. Fast Farming and Harvesting. A number of items have been added to the game that will allow you to plow, plant and harvest faster. While at first this may seem like a boon to all you hardworking farmers out there. It turns out in the end it’s only a marginal improvement at best.To start with, if you are really interested in doing things faster I would recomme
How to Succeed by the side of Farmville?
By: Sarah Corner | 08/01/2010How to succeed by the side of Farmville is fast suitable single on the other standard Google searches to execute with in performance Farmville. Near are many ways to succeed by the side of Farmville from planning which crops to hide and as soon as to harvest. Ought to you build or else ought to you not, execute you need to save or else waste, and the tilt goes on.
Farmville Secrets Review - Farmville Secrets Scam
By: Sarah Corner | 08/01/2010Farmville Secrets arrange been getting a assortment of phone call around the Farmville commune of later than usual, for the reason that this is the earliest yet tour guide available near formed in place of players like you and me to discover exactly how to dominate this game. Much promises arrange been made by the author, you from time to time wonder if it is barely an alternative scam. This Farmville secrets re-evaluation willpower bring you along and discover if it's worth it.
Farmville Secrets Review - is Farmville Secrets a Scam?
By: Sarah Corner | 08/01/2010Do you want a Farmville secrets for Facebook and MySpace? If you want to build the ultimate farm, you have to keep two things in mind: * How to stockpile experience points * How to make lots of coins. Legally Stockpile Experience Points with Farmville Secrets
Farmville Facebook Cheats Coins
By: Sarah Corner | 08/01/2010We have all seen those Farmville gamers always have the most guns and cars -Not to mention all the loot. Obvious - Somebody know hidden codes- and we dont. Thats alright now-You can be the one doing all the robbing and kicking butt all the time. Read the "Farmville Coins Cheat Code" handbook I am about to show you and you will be the one with all the cars and weapons.
Farmville Article - Farmville Secrets
By: Sarah Corner | 08/01/2010Farmville Secrets,Farmville Tips,Farmville Tricks,Farmville Cheats,Farmville Cheater,Farmville Strategy And More The Best And Ultimate Farmville Guide You Become To The Best Farmer You Must To Read This Guide This The Best Farmville Guide And Popular Farmville Guide And Ultimate Farmville Guide.
Farmville Secrets - Farmville Guides, Hints, Cheats
By: Sarah Corner | 08/01/2010By now I’m sure you’ve heard of FarmVille, have started your own farm, spent a few moments a day trying to figure out how to load up on the right materials and resources to do better. How’s all that going for you?Do you need or even looking for a complete Farmville Guide that will give you cheats, tips, strategy or even the most hidden secrets that you can actually use to dominate Farmville? Farmville Secrets was created to give you the original best selling guide for Farmville!
Configuring a Site-to-site Vpn Between Two Cisco Routers
By: Don R. Crawley | 10/12/2008 | ComputersLearn the steps for configuring a secure site-to-site Virtual Private Network (VPN) with Cisco routers.
How to Configure Ssh (secure Shell) for Remote Login on a Cisco Router
By: Don R. Crawley | 02/12/2008 | ComputersLearn how to configure SSH for secure remote login on a Cisco router in this soundtraining.net "how-to" guide. SSH replaces the notoriously non-secure Telnet protocol for remote login.
Understanding the Fundamentals of Ethernet
By: Don R. Crawley | 06/09/2008 | ComputersIn this brief article, you'll learn the basics of how Ethernet works in modern computer networks and cabling options for your network.
How to Get Help in Linux
By: Don R. Crawley | 04/09/2008 | ComputersThe Linux operating system includes substantial built-in help systems. In this article, veteran I.T. guy Don R. Crawley explains how to find and use Linux help systems.
The Three Secrets to Profitable Email Marketing
By: Don R. Crawley | 21/05/2008 | BusinessLegitimate email marketing is a very powerful tool for your business...if you use it correctly. In this concise article, you'll learn the three keys for profitable email marketing and how you can use it successfully in your business.
How to Create and Manage Access-control Lists on Cisco Asa and Pix Firewalls
By: Don R. Crawley | 30/04/2008 | ComputersLearn the fundamentals of building and managing access-control lists on a Cisco ASA or PIX firewall in this soundtraining.net "How-to" guide.
How to Create and Exchange Digital Documents
By: Don R. Crawley | 27/04/2008 | BusinessDigital documents are safer, more secure, easier to search, easier to send, and infinitely easier to store. In this article, you'll learn about the benefits of using digital documents and gain some practical ideas about how to start using digital documents in your business.
Automating Appointment Scheduling
By: Don R. Crawley | 24/04/2008 | BusinessLearn how to let your customers and clients manage their own appointments by automating the appointment scheduling process with free or low cost online tools. In this brief article, automation evangelist Don R. Crawley show you how to automate appointment scheduling with another way to go digital without going postal.