Initial Setup
When the security appliance is booted with no configuration, it offers a setup menu that enables you to configure the initial parameters such as the device name and the IP address. You can choose to go through the initial setup menu for quick configuration.
In Example 4-4, a security appliance is prompting the user to specify whether they wish to go through the interactive menu to preconfigure the device. If a user types yes or selects the default option, the security appliance walks them through the configuration of ten parameters. The security appliance shows the default values in brackets ([]) before prompting the user to accept or change them. To accept the default input, press Enter. After going through the initial setup menu, the security appliance displays the summary of the new configuration before prompting the user to accept or reject them.
Example 4-4. Initial Setup Menu
Pre-configure Firewall now through interactive prompts [yes]? yes Firewall Mode [Routed]: Enable password []: cisco123 Allow password recovery [yes]? Clock (UTC): Year [2003]: 2005 Month [Aug]: Day [16]: 5 Time [02:02:48]: 23:30:00 Inside IP address: 192.168.10.1 Inside network mask: 255.255.255.0 Host name: Chicago Domain name: securemeinc.com IP address of host running Device Manager: 192.168.10.100 The following configuration will be used: Enable password: cisco123 Allow password recovery: yes Clock (UTC): 23:30:00 Aug 5 2005 Firewall Mode: Routed Inside IP address: 192.168.10.1 Inside network mask: 255.255.255.0 Host name: Chicago Domain name: securemeinc.com IP address of host running Device Manager: 192.168.10.100 Use this configuration and write to flash? yes INFO: Security level for "inside" set to 100 by default. Cryptochecksum: 1d3c3c10 b029b36d 9c95faaa 3b8dca37 1252 bytes copied in 3.330 secs (417 bytes/sec) Chicago>
Table 4-2 lists all the parameters that can be configured in the initial setup menu. It also provides a brief description of each parameter along with the default and configured values.
Parameter |
Description |
Default Value |
Configured Value |
---|---|---|---|
Enable password |
Specifies the enable password |
None |
cisco123 |
Firewall mode |
Sets up the security appliance as a Layer 2 or 3 firewall |
Routed |
Routed |
Inside IP address |
Specifies the IP address on the inside interface |
None |
192.168.10.1 |
Inside subnet mask |
Specifies the subnet mask on the inside interface |
None |
255.255.255.0 |
Host name |
Sets the host name on the device |
ciscoasa |
Chicago |
Domain name |
Sets the domain name on the device |
None |
securemeinc.com |
IP address of host running Device Manager |
Specifies the IP address of the host machine responsible for managing the Cisco ASA |
None |
192.168.10.100 |
Clock |
Sets up the current time on the Cisco ASA |
varies |
4:18 PM August 5th 2005 |
Save configuration |
Prompts the user if configuration needs to be saved |
Yes |
Yes |
Allow password recovery |
Prompts the user if password recovery is allowed |
Yes |
Yes |
If a user bypasses the initial setup, the same parameters and features can be set up by using the CLI commands discussed throughout this chapter. The next section discusses how to configure a device name from the CLI.
Tip
The initial setup process can be rerun by using the setup command in configuration mode.
Setting Up the Device Name
The default device name, also known as the host name, of a security appliance is ciscoasa. It is highly recommended that you set a unique device name to identify the security appliance on the network. In Example 4-5, the host name of the security appliance is changed to Chicago by using the hostname command. Because it is a configuration change, the administrator needs to go to configuration mode before the hostname command can be used. As soon as the host name is altered, the CLI prompt is changed to reflect this modification.
Example 4-5. Setting Up the Host Name
ciscoasa# configure terminal ciscoasa(config)# hostname Chicago Chicago(config)#
Networking devices usually belong to a network domain. A domain name can be specified on the security appliance, which appends the unqualified host names with the configured domain name. For example, if the security appliance tries to reach a host, secweb, by its host name and the configured domain name is securemeinc.com, then the fully qualified domain name (FQDN) will be secweb.securemeinc.com. The domain name is specified by using the domain-name command followed by the actual name of your organization's domain. As shown in Example 4-6, a domain name of securemeinc.com is set up in configuration mode.
Example 4-6. Setting Up the Domain Name
Chicago# configure terminal Chicago(config)# domain-name securemeinc.com
Note
The domain name is necessary if RSA (Rivest, Shamir, and Adleman) keys need to be generated. These keys are used for Public Key Infrastructure (PKI) implementation and for secure access such as SSH and Secure Sockets Layer (SSL).
Configuring an Interface
Cisco ASA 5510 comes with four Fast Ethernet interfaces (Ethernet0/0Ethernet0/3) and a management interface (Managament0/0), while Cisco ASA 5520 and Cisco ASA 5540 have four Gigabit Ethernet interfaces (GigabitEthernet0/0GigabitEthernet0/3) and a management interface (Management0/0). The Fast Ethernet and Gigabit Ethernet interfaces are used to route traffic from one interface to another based on the configured policies, while the management interface is designed to establish out-of-band connections. By default, all of these interfaces are shut down, meaning no traffic can pass through them. You can enable these interfaces by issuing the no shutdown command under the interface sub-configuration mode. As shown in Example 4-7, the administrator is enabling the GigabitEthernet0/0 interface.
Example 4-7. Enabling an Interface
Chicago# configure terminal Chicago(config)# interface GigabitEthernet0/0 Chicago(config-if)# no shutdown
Cisco ASA protects the internal network from external threats. Each interface is assigned a name to designate its role on the network. The most secure network is typically labeled as the inside network, whereas the least secure network is tagged as the outside network. For semitrusted networks, you can define them as demilitarized zones (DMZs).
If you go through the initial setup and configure an IP address and a subnet mask, the security appliance designates the GigabitEthernet0/1 interface as the inside interface on the Cisco ASA 5520 and 5540, while it designates Ethernet0/1 as the inside interface on the Cisco ASA 5510. You can also use the nameif command followed by the name to be assigned to the interface. You must use the interface name to set up the configuration features that are linked to an interface. In Example 4-8, the administrator has designated the GigabitEthernet0/0 interface as outside and GigabitEthernet0/1 as inside.
Example 4-8. Assigning Names to Interfaces
Chicago# configure terminal Chicago(config)# interface GigabitEthernet0/0 Chicago(config-if)# nameif outside Chicago(config-if)# exit Chicago(config)# interface GigabitEthernet0/1 Chicago(config-if)# nameif inside
The security appliance also uses the concept of assigning security levels to the interfaces. The higher the security level, the more secure an interface is. Consequently, the security level is used to reflect the level of trust of this interface with respect to the level of trust of another interface on the Cisco ASA. The security level can be between 0 and 100. Therefore, the most secure network is placed behind the interface with a security level of 100. The security level is assigned by using the security-level command, as shown in Example 4-9. The inside interface has been configured with a security level of 100, and the outside interface with a security level of 0.
Note
The Cisco ASA allows you to assign the same security level to more than one interface. If communication is required for the hosts on the same security level interfaces, use the global configuration same-security-traffic permit inter-interface command.
Example 4-9. Assigning Security Levels
Chicago# configure terminal Chicago(config)# interface GigabitEthernet0/0 Chicago(config-if)# nameif outside Chicago(config-if)# security-level 0 Chicago(config-if)# exit Chicago(config)# interface GigabitEthernet0/1 Chicago(config-if)# nameif inside Chicago(config-if)# security-level 100
Note
When an interface is configured with a nameif command, the security appliance automatically assigns a preconfigured security level. If an interface is set up with an inside name, the security appliance assigns a security level of 100. For all the other interface names, the security appliance sets the security level to 0.
Additionally, if an interface is not assigned a security level, it does not respond back on the network layer.
The most important parameter under the interface configuration is the assignment of an IP address. This is required if an interface is to be used to pass traffic in the Layer 3 firewall, also known as routed mode. An address can be either statically or dynamically assigned. To assign an IP address to an interface, use the ip address command followed by an IP address and subnet mask. The complete syntax of the ip address command is shown here:
ip address ip_address [mask] [standby ip_address] ip address dhcp setroute
The ip_address next to the ip address command is the static address to be configured to this interface and mask is the subnet mask for the respective IP address. If there is no mask specified, the security appliance assigns a default mask of a class for the configured IP address. The standby ip_address is also optional and it is used only if this interface participates in failover, discussed in Chapter 11, "Failover and Redundancy."
Note
If a security appliance is deployed in transparent mode, discussed in Chapter 10, "Transparent Firewalls," the IP address is configured in global configuration mode.
The security appliance also supports interface address assignment through a Dynamic Host Configuration Protocol (DHCP) server. This is a preferred method if an ISP dynamically allocates an IP address to the outside interface. The dhcp keyword indicates that a DHCP server will assign an IP address, while the setroute keyword informs the security appliance to use the DHCP server's specified default gateway as the default route.
Note
Chapter 6, "IP Routing," discusses how to configure default route to get connectivity to the networks that are not in the routing table.
In Example 4-10, a DHCP server is responsible for assigning an IP address on the outside interface, while a static IP address of 192.168.10.1 with a mask of 255.255.255.0 is set up on the inside interface.
Example 4-10. Assigning Interface IP Addresses
Chicago# configure terminal Chicago(config)# interface GigabitEthernet0/0 Chicago(config-if)# nameif outside Chicago(config-if)# security-level 0 Chicago(config-if)# ip address dhcp setroute Chicago(config-if)# exit Chicago(config)# interface GigabitEthernet0/1 Chicago(config-if)# nameif inside Chicago(config-if)# security-level 100 Chicago(config-if)# ip address 192.168.10.1 255.255.255.0
Optionally, you can configure speed and duplex on an interface. Both parameters are set to auto by default and can be changed to avoid link negotiations. The command syntax to change the speed and duplex is as follows:
speed {auto | 10 | 100 | 1000} duplex {auto | full | half}
The speed option is used to hard-code the interface connection speed to 10, 100, or 1000 Mbps. This option does not allow an interface to auto-negotiate link speed on the interface. The duplex option disables auto-negotiation of duplex parameters and limits an interface to act either in full or half-duplex mode. As demonstrated in Example 4-11, the outside interface is set up with a connection speed of 1000 Mbps using full-duplex mode.
Example 4-11. Configuring Speed and Duplex on an Interface
Chicago# configure terminal Chicago(config)# interface GigabitEthernet0/0 Chicago(config-if)# nameif outside Chicago(config-if)# security-level 0 Chicago(config-if)# ip address dhcp setroute Chicago(config-if)# speed 1000 Chicago(config-if)# duplex full
Note
The management interface, discussed in the section titled "Configuring a Management Interface," is a FastEthernet interface, which only allows either 10 or 100 Mbps as the interface speed.
The Ethernet-based interfaces on the Cisco ASA 5500 series use the auto-MDI/MDIX (media-dependent interface/media-dependent interface crossover) feature, which does not require a crossover cable when connecting two similar type interfaces. They perform an internal crossover when a straight network cable connects two similar interfaces. This feature only works when both the speed and duplex parameters are set for auto-negotiations.
Caution
If the speed and duplex settings do not match the speed and duplex settings on the other end of the Ethernet connection, you will see packet loss, which will result in performance degradation.
The security appliance shows the output of interface-related parameters and counters information when the show interface command is used. As illustrated in Example 4-12, GigabitEthernet0/0 is set up as the outside interface and has an IP address of 209.165.200.225, while GigabitEthernet0/1 is set up as the inside interface with an IP address of 192.168.10.1.
Example 4-12. Output of show interface
Chicago# show interface Interface GigabitEthernet0/0 "outside", is up, line protocol is up Hardware is i82546GB rev03, BW 1000 Mbps Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps) MAC address 0013.c480.90ee, MTU 1500 IP address 209.165.200.225, subnet mask 255.255.255.224 79855 packets input, 6345439 bytes, 0 no buffer Received 79692 broadcasts, 0 runts, 0 giants 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 75 packets output, 7806 bytes, 0 underruns 0 output errors, 0 collisions 0 late collisions, 0 deferred input queue (curr/max blocks): hardware (0/5) software (0/0) output queue (curr/max blocks): hardware (0/1) software (0/0) Received 79220 VLAN untagged packets, 4869649 bytes Transmitted 75 VLAN untagged packets, 6420 bytes Dropped 14202 VLAN untagged packets Interface GigabitEthernet0/1 "inside", is up, line protocol is up Hardware is i82546GB rev03, BW 1000 Mbps Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps) MAC address 0013.c480.90ef, MTU 1500 IP address 192.168.10.1, subnet mask 255.255.255.0 79693 packets input, 6331839 bytes, 0 no buffer Received 79693 broadcasts, 0 runts, 0 giants 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 1 packets output, 64 bytes, 0 underruns 0 output errors, 0 collisions 0 late collisions, 0 deferred input queue (curr/max blocks): hardware (0/6) software (0/0) output queue (curr/max blocks): hardware (0/1) software (0/0) Received 79059 VLAN untagged packets, 4859061 bytes Transmitted 1 VLAN untagged packets, 28 bytes Dropped 14114 VLAN untagged packets
Configuring a Subinterface
Cisco ASA has a limited number of Ethernet-based interfaces and it currently does not allow adding more physical interfaces. However, you can divide a physical interface into multiple logical interfaces to increase the total number of interfaces. This is achieved by tagging each subinterface with a unique virtual LAN (VLAN) ID, which keeps the network traffic separate from other VLANs using the same physical interface. The security appliance uses the IEEE-specified 802.1Q trunking to connect the physical interface to an 802.1Q-enabled device.
The number of VLANs (subinterfaces) can range from 0 to 100 depending on the security appliance model and the license key used, as shown in Table 4-3.
Appliance Model |
License Feature |
Number of VLANs |
---|---|---|
ASA5510 |
Base License |
0 |
ASA5510 |
Security Plus |
10 |
ASA5520 |
Base Plus |
25 |
ASA5520 |
VPN Plus |
25 |
ASA5540 |
Base Plus |
100 |
ASA5540 |
VPN Plus |
100 |
ASA5540 |
VPN Premium |
100 |
To create subinterfaces on an appliance, you can use the interface command followed by the interface name and the subinterface number, as shown in the following syntax:
interface physical_interface.subinterface
Here, physical_interface is the actual physical interface and subinterface is an integer between 1 and 4,294,967,295. Example 4-13 demonstrates how to create a subinterface 300 on GigabitEthernet0/0.
Example 4-13. Creating a Subinterface
Chicago# configure terminal Chicago(config)# interface GigabitEthernet0/0.300
Once you have created a subinterface, the next step is to associate the interface with a unique VLAN identity. Assign a VLAN ID by using the vlan subinterface configuration command followed by the actual VLAN ID, which ranges between 1 and 4096. In Example 4-14, the administrator has linked GigabitEthernet0/0.300 to vlan 300. Although the subinterface number and the VLAN ID do not have to match, it is a good practice to use the same number for ease of management.
Example 4-14. Associating a VLAN ID to a Subinterface
Chicago# configure terminal Chicago(config)# interface GigabitEthernet0/0.300 Chicago(config-if)# vlan 300
Caution
If the main physical interface is shut down, all the associated subinterfaces are disabled as well.
The subinterface is configured identically to a physical interface, using the nameif, security-level, and ip address commands. It does not, however, allow the use of speed and duplex commands, discussed in the previous section. Example 4-15 shows a subinterface GigabitEthernet0/0.300 configuration that is set up as a DMZ interface with the security level 30 and an IP address of 192.168.20.1/24 in VLAN 300.
Example 4-15. Configuring Subinterface Parameters
Chicago# configure terminal Chicago(config)# interface GigabitEthernet0/0.300 Chicago(config-if)# vlan 300 Chicago(config-if)# nameif DMZ Chicago(config-if)# security-level 30 Chicago(config-if)# ip address 192.168.20.1 255.255.255.0
Note
Even after creating the subinterfaces, a security appliance can still pass untagged traffic over the physical interface if the nameif, security-level, and ip address commands are configured.
Configuring a Management Interface
Cisco ASA 5500 appliances have a built-in Management0/0 port, which is designed to pass management-related traffic only. The management interface blocks all the traffic that is trying to pass through it and only permits traffic destined to the security appliance. This ensures that the management traffic is separate from the data traffic on an appliance. You can change this default behavior, however, to allow through traffic similar to the Gigabit Ethernet interfaces. Additionally, any Gigabit Ethernet or Fast Ethernet interface can act as a dedicated management interface when it is configured with the management-only command. As shown in Example 4-16, the Management0/0 interface is set up to allow through traffic, while GigabitEthernet0/2 is set up as the management-only interface.
Note
The base license on the Cisco ASA 5510 does not allow you to enable through traffic on the management interface.
Example 4-16. Configuring a Management-Only Interface
Chicago# configure terminal Chicago(config)# interface GigabitEthernet0/2 Chicago(config-if)# management-only Chicago(config-if)# exit Chicago(config)# interface Management0/0 Chicago(config-if)# no management-only
Some general characteristics about a management interface include the following:
- Routing protocols such as RIP and OSPF are supported on a management interface.
- A subinterface can also act as a management interface if configured with the management-only command.
- Multiple management interfaces are supported on an appliance.
- Traffic through the security appliance is dropped on a management interface and a syslog message is generated to log this event.
- VPN tunnels for remote management are allowed on a management interface.
DHCP Services
Cisco ASA can act as a DHCP server to hand out IP addresses to the end machines that are running the DHCP client services. The supported DHCP server options can be enabled by using the dhcpd command, as shown in Example 4-17.
Example 4-17. Supported DHCP Server Options
Chicago# configure terminal Chicago(config)# dhcpd ? configure mode commands/options: address Configure the IP pool address range after this keyword auto_config Enable auto configuration from client dns Configure the IP addresses of the DNS servers after this keyword domain Configure DNS domain name after this keyword enable Enable the DHCP server lease Configure the DHCPD lease length after this keyword option Configure options to pass to DHCP clients after this keyword ping_timeout Configure ping timeout value after this keyword wins Configure the IP addresses of the NETBIOS servers after this keyword
To configure the DHCP server on the security appliance, use the following steps:
Step 1. |
Enable the DHCP server.
The first step in setting up the DHCP server is to enable it on an interface. Use the dhcpd enable command followed by the name of an interface. The security appliance runs the DHCP services on the configured interface. As shown in the following example, the administrator is enabling the DHCP services on the inside interface.
Chicago(config)# dhcpd enable inside |
Step 2. |
Define a DHCP pool of addresses.
The next step in setting up the DHCP server is to define a pool of addresses that can be assigned to a DHCP client. Use the dhcpd address command and configure a range of IP addresses. The pool of addresses is then bound to an interface. As shown in the following example, the administrator is setting up a pool of addresses that starts at 192.168.10.100 and ends at 192.168.10.200. This pool of addresses is bound to the inside interface.
Chicago(config)# dhcpd address 192.168.10.100-192.168.10.200 inside |
Step 3. |
Set up WINS, DNS, and domain-name options.
The DHCP server sends the WINS, DNS, and domain name when an address is offered to a DHCP client. The client computers do not need to be manually set up for these addresses. Use the dhcpd dns, dhcpd wins, and dhcpd domain commands to assign the DNS, WINS, and domain names to the DHCP clients. In the following example, the security appliance assigns 192.168.10.50 and 192.168.10.51 as the primary and secondary DNS addresses, 192.168.10.51 and 192.168.10.50 as the primary and secondary WINS addresses, and securemeinc.com as the domain name:
Chicago(config)# dhcpd dns 192.168.10.50 192.168.10.51 Chicago(config)# dhcpd wins 192.168.10.51 192.168.10.50 Chicago(config)# dhcpd domain securemeinc.com |
Step 4. |
Specify the DHCP timeout parameters.
Before the security appliance allocates an IP address to a DHCP client, it sends two ICMP request packets to the address it is about to assign. It waits for 50 milliseconds to receive an ICMP response. If a response is received, the security appliance assumes that the address is being used and thus does not assign it. This default ping timeout value can be changed by using the dhcpd ping_timeout command. If a response is not received, the security appliance allocates the IP address until the DHCP lease expires. Once the lease expires, the DHCP client is expected to return the assigned IP address. The default lease time setting of 3600 seconds can be changed by using the dhcpd lease. In the following example, the administrator has set up a ping timeout value of 20 milliseconds and a DHCP lease time of 86,400 seconds (1 day).
Chicago(config)# dhcpd lease 86400 Chicago(config)# dhcpd ping_timeout 20 |
Step 5. |
Set up additional DHCP options (optional).
The security appliance allows you to assign DHCP option codes ranging from 0 to 255. These DHCP option codes are defined in RFC 2132 and can be set up on the security appliance by using the dhcp option command. In the following example, the DHCP option code 66 (TFTP server) is assigned to the DHCP clients with a TFTP server address of 192.168.10.10. This DHCP option code is typically used by the Cisco IP Phones to retrieve their configuration from the TFTP server.
Chicago(config)# dhcpd option 66 ip 192.168.10.10 |
Step 6. |
Set up DHCP auto-configuration (optional).
In many network implementations, the security appliance acts as a DHCP client on one interface and a DHCP server on another interface. This is usually the case when the security appliance gets an IP address from the ISP's DHCP server on its outside interface. At the same time, it acts as a DHCP server to assign addresses to the DHCP clients connected on the inside networks. In this network scenario, the security appliance can pass the DNS, WINS, and domain-name information to the DHCP clients after it receives them from the DHCP server on its interface that acts as a DHCP client. This is achieved if the dhcpd auto_config command is set up with the interface name that acts as a DHCP client. In the following example, the security appliance is set up to pass DNS, WINS, and domain-name information, obtained on the outside interface, to the DHCP clients:
Chicago(config)# dhcpd auto_config outside |