| Copyright (c) 2008 Don R. Crawley | | | | interface command is used to identify physical |
| There are literally thousands of commands and | | | | interfaces, assign them to switchports on the appliance, |
| sub-commands available to configure a Cisco security | | | | and enable them (turn them on) through the use of the |
| appliance. As you gain knowledge of the appliance, | | | | "no shutdown" statement.ciscoasa(config-if)# interface |
| you will use more and more of the commands. Initially, | | | | ethernet 0/0ciscoasa(config-if)# switchport access |
| however, there are just a few commands required to | | | | vlan 2ciscoasa(config-if)# no |
| configure basic functionality on the appliance. Basic | | | | shutdownciscoasa(config-if)# interface ethernet 0 |
| functionality is defined as allowing inside hosts to | | | | 1ciscoasa(config-if)# switchport access vlan |
| access outside hosts, but not allowing outside hosts to | | | | 1ciscoasa(config-if)# no shutdown |
| access the inside hosts. Additionally, management | | | | **nat** |
| must be allowed from at least one inside host. Here | | | | The nat command enables network address |
| are eight basic commands: | | | | translation on the specified interface for the specified |
| **interface** | | | | subnet. |
| The interface command identifies either the hardware | | | | In this sample, configuration, NAT is enabled on the |
| interface or the VLAN interface that will be configured. | | | | inside interface for hosts on the 192.168.1.0/24 subnet. |
| Once in interface configuration mode, you can assign | | | | The number "1" is the NAT I.D. which will be used by |
| physical interfaces to switchports and enable them | | | | the global command to associate a global address or |
| (turn them on) or you can assign names and security | | | | pool with the inside addresses. (Note: NAT 0 is used to |
| levels to VLAN interfaces. | | | | prevent the specified group of addresses from being |
| **nameif** | | | | translated.)ciscoasa(config)# nat (inside) 1 192.168.1.0 |
| The nameif command gives the interface a name and | | | | 255.255.255.0 |
| assigns a security level. Typical names are outside, | | | | **global** |
| inside, or DMZ. | | | | The global command works in tandem with the nat |
| **security-level** | | | | command. It identifies the interface (usually outside) |
| Security levels are used by the appliance to control | | | | through which traffic from nat'ed hosts (usually inside |
| traffic flow. Traffic is permitted to flow from interfaces | | | | hosts) must flow. It also identifies the global address |
| with higher security levels to interfaces with lower | | | | which nat'ed hosts will use to connect to the outside |
| security levels, but not the other way. Access-lists | | | | world. |
| must be used to permit traffic to flow from lower | | | | In the following sample, the hosts associated with NAT |
| security levels to higher security levels. Security levels | | | | I.D. 1 will use the global address 12.3.4.5 on the outside |
| range from 0 to 100. The default security level for an | | | | interface.ciscoasa(config)# global (outside) 1 12.3.4.5 |
| outside interface is 0. For an inside interface, the | | | | In this additional example of the use of the "global" |
| default security level is 100. | | | | command, the interface statement tells the firewall that |
| In the following sample configuration, the interface | | | | hosts associated with NAT I.D. 1 will use the |
| command is first used to name the inside and outside | | | | DHCP-assigned global address on the outside |
| VLAN interfaces, then the DMZ interface is named | | | | interface.ciscoasa(config)# global (outside) 1 interface |
| and a security level of 50 is assigned to | | | | **route** |
| it.ciscoasa(config)# interface vlan1ciscoasa(config-if)# | | | | The route command, in its most basic form, assigns a |
| nameif inside | | | | default route for traffic, typically to an ISP's router. It |
| INFO: Security level for "inside" set to 100 by | | | | can also be used in conjunction with access-lists to |
| default.ciscoasa(config-if)# interface | | | | send specific types of traffic to specific hosts on |
| vlan2ciscoasa(config-if)# nameif outside | | | | specific subnets. |
| INFO: Security level for "outside" set to 0 by | | | | In this sample configuration, the route command is used |
| default.ciscoasa(config-if)#interface | | | | to configure a default route to the ISP's router at |
| vlan3ciscoasa(config-if)# nameif | | | | 12.3.4.6. The two zeroes before the ISP's router |
| dmzciscoasa(config-if)# security-level 50 | | | | address are shorthand for an IP address of 0.0.0.0 and |
| **ip address** | | | | a mask of 0.0.0.0. The statement outside identifies the |
| The ip address command assigns an IP address to a | | | | interface through which traffic will flow to reach the |
| VLAN interface either statically or by making it a | | | | default route.ciscoasa(config-if)# route outside 0 0 |
| DHCP client. With modern versions of security | | | | 12.3.4.6 |
| appliance software, it is not necessary to explicitly | | | | The above commands create a very basic firewall, |
| configure default subnet masks. If you are using | | | | but frankly, using a sophisticated device such as a |
| non-standard masks, you must explicitly configure the | | | | Cisco PIX or ASA security appliance to perform such |
| mask, but otherwise, it's not necessary. | | | | basic firewall functions is overkill. Other commands to |
| In the following sample configuration, an IP address is | | | | use include hostname to identify the firewall, telnet or |
| assigned to VLAN 1, the inside | | | | SSH to allow remote administration, DHCPD |
| interface.ciscoasa(config-if)# interface vlan | | | | commands to allow the firewall to assign IP addresses |
| 1ciscoasa(config-if)# ip address 192.168.1.1 | | | | to inside hosts, and static route and access-list |
| **switchport access** | | | | commands to allow internal hosts such as DMZ Web |
| The switchport access command on the ASA 5505 | | | | servers or DMZ mail servers to be accessible to |
| security appliance assigns a physical interface to a | | | | Internet hosts. |
| logical (VLAN) interface. In the next example, the | | | | |