PIX/ASA Checklist As with configuring any firewall, administrators should develop a checklist that they can use during the installation and implementation of the PIX/ASA firewall in the network. There are really two components to this checklist. First, you want to define the implementation requirements and determine how the firewall should be configured and what options will be enabled. In essence, design and plan your firewall implementation before you configure and implement the firewall. To help with the planning of your PIX/ASA firewall implementation, consider the following items (although not an exhaustive list, it is a good basic checklist for many environments): Determine how many interfaces will be required. Determine how the interfaces will need to be configured (for example, interface speed and duplex). Determine the IP addresses that will be assigned to the firewall interfaces and how the addresses will be assigned (for example, static IP addresses or DHCP configuration). Determine what type of routing will be used (dynamic or static) and define any static and default routes. Determine how NAT will be used (for example, static, dynamic, no NAT at all, or any combination of the three). Define which internal hosts will need to be accessed from the outside, and whether that access will be handled by static NAT or without NAT. Define which ACLs (both inbound and outbound) will be required. Define how authentication and command authorization on the PIX will be handled (for example, will a AAA server be required?). Define the firewall administrator roles and the corresponding access levels that will be required. Will remote-access or LAN-to-LAN VPNs be configured on the PIX/ASA? If so, define the VPN configuration settings. Define the passwords that will be used on the firewall. Define how the PIX will be managed (for example, using Telnet, SSH, ASDM) and from what networks or hosts remote access will be permitted. Define how logging will be handled (for example, will the PIX/ASA log to a remote syslog server?). After you have completed your planning and defined the requirements and determined how the firewall should be configured and what options will be enabled, the second step of the PIX/ASA checklist is to list out the specific configuration steps required to configure the firewall. Whereas the preceding checklist focused on the planning and design, this checklist uses that information to define what actually needs to be done for the actual firewall configuration. A good configuration checklist for the PIX/ASA firewall consists of the following: 1. | Configure the firewall interfaces. | 2. | Configure the firewall passwords. | 3. | Configure the firewall name and domain name. | 4. | Assign addresses to the firewall interfaces. | 5. | Configure the appropriate routing. | 6. | Configure the appropriate remote management settings. | 7. | Configure AAA as required. | 8. | Configure the firewall time settings | 9. | Configure the appropriate logging settings. | 10. | If required, configure NAT and any other translations. | 11. | Build and implement the appropriate ACLs and apply them to the appropriate interfaces in the appropriate direction. | 12. | Configure application inspection. | 13. | Configure advanced features such as failover, VPN, or IPS. | 14. | If the firewall is an ASA, configure the advanced antivirus, antispyware, and antiphishing settings. | |