EXAMPLE1

CONFIGURATION OF ASA FIREWALL

CISCO SYSTEMS
Embedded BIOS Version 1.0(12)13 08/28/08 15:50:37.45

Low Memory: 632 KB

High Memory: 507 MB
PCI Device Table.
Bus Dev Func VendID DevID Class Irq
00 01 00 1022 2080 Host Bridge
00 01 02 1022 2082 Chipset En/Decrypt 11
00 0C 00 1148 4320 Ethernet 11
00 0D 00 177D 0003 Network En/Decrypt 10
00 0F 00 1022 2090 ISA Bridge
00 0F 02 1022 2092 IDE Controller
00 0F 03 1022 2093 Audio 10
00 0F 04 1022 2094 Serial Bus 9
00 0F 05 1022 2095 Serial Bus 9

Evaluating BIOS Options ...

Launch BIOS Extension to setup ROMMON

Cisco Systems ROMMON Version (1.0(12)13) #0: Thu Aug 28

15:55:27 PDT 2008

Platform ASA5505

Use BREAK or ESC to interrupt boot.

Use SPACE to begin boot immediately.

Boot in 9 seconds
Boot in 8 seconds
Boot in 7 seconds
Boot in 6 seconds
Boot in 5 seconds
Boot in 4 seconds
Boot in 3 seconds
Boot in 2 seconds
Boot in 1 second

Launching BootLoader...
Default configuration file contains 1 entry.

Searching / for images to boot.

Loading /asa842-k8.bin... Booting...

Platform ASA5505

Loading...
IO memory blocks requested from bigphys 32bit: 9672
dosfsck 2.11, 12 Mar 2005, FAT32, LFN
Starting check/repair pass.
Starting verification pass.
/dev/hda1: 152 files, 35584/62780 clusters
dosfsck(/dev/hda1) returned 0
Processor memory 348127232, Reserved memory: 62914560

Total SSMs found: 0

Total NICs found: 10

88E6095 rev 2 Gigabit Ethernet @ index 09 MAC: 0000.0003.0002
88E6095 rev 2 Ethernet @ index 08 MAC: 0007.EC50.7208
88E6095 rev 2 Ethernet @ index 07 MAC: 0007.EC50.7207
88E6095 rev 2 Ethernet @ index 06 MAC: 0007.EC50.7206
88E6095 rev 2 Ethernet @ index 05 MAC: 0007.EC50.7205
88E6095 rev 2 Ethernet @ index 04 MAC: 0007.EC50.7204
88E6095 rev 2 Ethernet @ index 03 MAC: 0007.EC50.7203
88E6095 rev 2 Ethernet @ index 02 MAC: 0007.EC50.7202
88E6095 rev 2 Ethernet @ index 01 MAC: 0007.EC50.7201
y88acs06 rev16 Gigabit Ethernet @ index 00 MAC: 44d3.caef.1e22
Encryption hardware device : Cisco ASA-5505 on-board accelerator
(revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode : CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.06
Verify the activation-key, it might take a while...
Running Permanent Activation Key: 0xNNXH6ZS5 0x09T111P8
0xLVIRWMN0 0xA80D61UJ 0xLW5Y5Z9B

Licensed features for this platform:

Maximum Physical Interfaces : 8 perpetual
VLANs : 3 DMZ Restricted
Dual ISPs : Disabled perpetual
VLAN Trunk Ports : 0 perpetual
Inside Hosts : 10 perpetual
Failover : Disabled perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 10 perpetual
Total VPN Peers : 25 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual

This platform has a Base license.

Cisco Adaptive Security Appliance Software Version 8.4(2)

****************************** Warning
*******************************
This product contains cryptographic features and is
subject to United States and local country laws
governing, import, export, transfer, and use.
Delivery of Cisco cryptographic products does not
imply third-party authority to import, export,
distribute, or use encryption. Importers, exporters,
distributors and users are responsible for compliance
with U.S. and local country laws. By using this
product you agree to comply with applicable laws and
regulations. If you are unable to comply with U.S.
and local laws, return the enclosed items immediately.

A summary of U.S. laws governing Cisco cryptographic

products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by

sending email to export@cisco.com.
******************************* Warning
*******************************

Copyright (c) 1996-2011 by Cisco Systems, Inc.

Restricted Rights Legend

Use, duplication, or disclosure by the Government is

subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134-1706

Reading from flash...

Practical Set for Firewall ASA – by Dr Sanja

Click on the :CLI

Step_1
ciscoasa>enable [ Type enable and press enter key]

Password: [ No password needed just press enter key]

ciscoasa# configure terminal [ Type configure terminal press enter ]

ciscoasa(config)#exit [ At the globle conf model you can exit]

Instruction to display the default configuration perform a show run by

typing show run

ciscoasa#show run [Since ASA has default buit in configuration type

show run to display ]

: Saved
:
ASA Version 8.4(2)
!
hostname ciscoasa
names
!
Vlan 2Port0

interface Ethernet0/0 Ethernet 0/0

switchport access vlan 2 [This indicates that vlan2 is at 0 security level]
!
interface Ethernet0/1
!
interface Ethernet0/2
! Vlan 1
interface Ethernet0/3
Ports Range from 0/1 to 0/7
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp

!
<--- More --->
interface Vlan1
nameif inside
security-level 100 [ Interface Vlan1Comes with a security mode of
100]

Ip address 192.168.1.1 255.255.255.0

!
interface Vlan2
nameif outside[ outside zone]
security-level 0[ Interface Vlan2 Comes with a security mode of 0]
ip address dhcp
!
!
telnet timeout 5
ssh timeout 5
!
dhcpd address 192.168.1.5-192.168.1.35 inside
dhcpd enable inside
!
dhcpd auto_config outside
!
!
ciscoasa#
ciscoasa#
ciscoasa#
ciscoasa#
ciscoasa#
ciscoasa#
Type help or '?' [ In case you are stuck you type ?]

for a list of available commands.

ciscoasa>enable [ Type enable and press enter key]

Password:
ciscoasa#configure terminal
ciscoasa(config)#exit
ciscoasa#display run
^
% Invalid input detected at '^' marker.
ciscoasa#show run
: Saved
:
ASA Version 8.4(2)
!
hostname ciscoasa
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp
!

telnet timeout 5
ssh timeout 5
!
dhcpd address 192.168.1.5-192.168.1.35 inside
dhcpd enable inside
!
dhcpd auto_config outside
!
!
ciscoasa#
ciscoasa#conf t
ciscoasa(config)#interface vlan2
ciscoasa(config-if)#no ip add dhcp

WARNING: DHCPD bindings cleared on interface 'outside', address pool removed

Step_2

ciscoasa(config-if)#

ciscoasa(config-if)#ip add 50.0.0.1 255.255.255.0[ you have configured the ip

address to vlan2]

[now go ahead and give the ip address to the server located to the right]

ciscoasa(config-if)#

onfigure mode commands/options:

WORD Specifies object ID (1-64 characters)

[ Perform downloading you may name NETIN ]

ciscoasa(config)#object network NETIN

.
ciscoasa(config-network-object)#SUBnet? [ Type SUBnet ? ]

ciscoasa(config-network-object)#SUBnet ? [ Read options]

network-object mode commands/options:
A.B.C.D Enter an IPV4 network address
X:X:X:X::X/<0-128> Enter an IPv6 prefix

ciscoasa(config-network-object)#SUBnet 192.168.1.0 ?

network-object mode commands/options:

A.B.C.D Enter an IPv4 network mask
[ Conf the firewall with Ip and SubNet as below ]

ciscoasa(config-network-object)#SUBnet 192.168.1.0 255.255.255.0

network-object mode commands/options:

A.B.C.D Enter an IPV4 network address
X:X:X:X::X/<0-128> Enter an IPv6 prefix

ciscoasa(config-network-object)#SUBnet 192.168.1.0 ?
network-object mode commands/options:
A.B.C.D Enter an IPv4 network mask
ciscoasa(config-network-object)#SUBnet 192.168.1.0 255.255.255.0

[ Conf the firewall by nat and dynamic interface both sides as below ]

ciscoasa(config-network-object)#nat (inside,outside) dynamic ?

network-object mode commands/options:

interface Use interface address as mapped IP

ciscoasa(config-network-object)#nat (inside,outside) dynamic interface

ciscoasa(config-network-object) # Exit