Basic setup of Cisco ASA 5505

Where in that do you set your external DNS IPs? Also I would like to use the GUI to set this up as I am very green to cisco command line stuff.

You would only need to tell the ASA where DNS server were if you were going to lease that information to DHCP clients - the Cisco is a statefull firewall its bothered about IP addresses and port numbers not names :)

heres an extract of a document I wrote for a client hang on..................

5   Initial Setup

While working with the ASA you will discover somethings are easier from command line/console and others are easier from the ASDM, Coniston recommend you use a hybrid of the two methods to configure your firewalls as quickly and painlessly as possible.

5.1   Pre Build

Out of the box the ASA configures itself as follows

1.      Inside IP address 192.168.1.1
2.      Inside Subnet Mask 255.255.255.0
3.      DHCP Server enabled on the inside interface.
4.      Outside IP address (set to accept via DHCP).
5.      Outside subnet mask (set to accept via DHCP).
6.      Outside default gateway/router (set to accept via DHCP).
7.      ASDM Enabled.
8.      ASDM access allowed for 192.168.0.0 255.255.255.0.0
9.      Enable Password Blank.
10.      VLAN1 set to Eth ports1-7 (Inside).
11.      VLAN2 set to Eth Port 0 (Outside).
12.      VLAN3 un-configured (DMZ  only available on a sec plus ASA).
13.      Hostname set to ciscoasa.
14.      Domain name set to default.domain.invalid.
15.      All traffic is allowed out.
16.      No Traffic is allowed in.

So before you start you will need to know the following.

1.      Enable Password to be used
2.      Inside IP and subnet mask
3.      Outside IP and subnet mask
4.      IP and subnet mask of your Router
5.      IP and subnet mask of your DMZ (if you are going to deploy)


 5.2   Connecting and Startup Wizard


1.      Firstly connect the console port of the ASA to the PC / Laptop as directed in section 4.1 above. Then connect your PC/Laptops Network socket to Port 1 on the ASA using a standard straight through network cable.

Note. You will need to set your PC/Laptop to accept IP addresses automatically then issue the following two commands to get an IP address on the ASA.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

ipconfig /release
ipconfig /renew

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

2.      You should be given an ip address in the 192.168.1.0 range with a subnet mask of 255.255.255.0 and a default gateway of 192.168.1.1
3.      Now connect to the ASA via the console port using HyperTerminal as detailed in section 4.1 above.
4.      Now we are going to set the inside IP address, Allow ASDM access, and disable DHCP on the ASA from the console (Note. this is considerably easier and faster to do from the console session)





-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
ciscoasa> en
Password:
ciscoasa# conf t
ciscoasa(config)# no dhcpd address 192.168.1.2-192.168.1.254 inside
ciscoasa(config)# no dhcpd enable inside
ciscoasa(config)# write mem
Building configuration...
Cryptochecksum: 8aefe05d 987b891d af9ffd8c 680899fd

1445 bytes copied in 1.410 secs (1445 bytes/sec)
[OK]
ciscoasa(config)# int vlan1
ciscoasa(config-if)# ip address 10.3.0.254 255.255.0.0
ciscoasa(config-if)# http 10.3.0.0 255.255.0.0 inside
ciscoasa(config)# write mem
Building configuration...
Cryptochecksum: fb0511ec e285dcce e9148240 a49bf688

1475 bytes copied in 1.410 secs (1475 bytes/sec)
[OK]
ciscoasa(config)#
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

5.      Now the inside IP address is set to 10.3.0.254 and the 10.3.0.0 network can connect to the ADSM.
6.      Change the IP address of your PC so it is on the same subnet as the inside of the ASA.

7.      Open a web browser window and navigate to https://10.3.0.254. If using IE7 then click Continue to the website (Not Recommended)
8.      The password will be blank so just click OK.
9.      Choose either to install locally or run the applet.  I will install locally and run the console from my PC.
10.      Follow the onscreen prompts and launch the ASDM Manager from your PC.
11.      Remember the username and passwords are still blank.
12.      Click Wizards > Startup Wizard

 

13.      Select Modify Existing Configuration > Next.
 

14.      Select a name, domain name and new enable password > Next.

 

15.      Click Next

 

16.      Enter the outside IP address and Subnet Mask > Next.

 
17.      Enter the inside IP address and Subnet Mask.  > Next.

 

18.      Enter the IP Address and Subnet Mask of the DMZ (If required) otherwise. > Next

 

19.      Review the information >  Next.

 

20.      Next.
 



21.      Now we need to add in the IP address of the router. > Add.

 

22.      Add in the IP address of the router outside as shown below.

 


23 Next.

   

23.      Next.

 

24.      We are using the outside IP > Next.

 

25.      Next.

 



26.      Next.

 

27.      Finish

 



28.      Enter the new enable password > Login.

 



6    Allowing Traffic through the PIX

You allow traffic through the ASA FROM something TO something over a PORT

The FROM and TO can either be a single IP address (a Host) or a Network. The port is a number that the firewall communicates over (on an ASA you can use friendly names for ports e.g. www, smtp pop3 etc)

You allow traffic with an Access List or ACL the you apply that ACL to an interface.

For example this lets an internal host 10.3.0.1 out to view web sites on TCP port 80

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
ASA(config)# access-list outbound permit tcp host 10.3.0.1 any eq www
ASA(config)# access-group outbound in interface inside
ASA(config)# write mem
Building configuration...
Cryptochecksum: 0013bd70 bb503f98 d6927a52 040a9b57

1817 bytes copied in 1.410 secs (1817 bytes/sec)
[OK]
ASA(config)#
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
















To do the same from the ASDM

 



7   Port Forwarding through the ASA

Port forwarding simply takes a particular type of traffic (a port) and forwards it to one host
In this example we will assume 10.3.0.2 is an email server an needs all TCP port 25 (SMTP Mail traffic) forwarding to it.

First you need to create a rule (access-list) to allow the traffic in then create a TRANSLATION (static command) for the port then apply the rule to the interface.(access-group command)

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
ASA(config)# access-list inbound permit tcp any interface outside eq smtp
ASA(config)# static (inside,outside) tcp interface smtp 10.3.0.2 smtp dns netmask 255.255.255.255
ASA(config)# write mem
Building configuration...
Cryptochecksum: a5ac03a5 940e1c23 a8912f62 af7666a1

2014 bytes copied in 1.390 secs (2014 bytes/sec)
[OK]
ASA(config)#
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

To do the same thing with the ASDM  first create the rule.
Then the translation

 

8   Site to Site VPN

To put in place a site to site vpn from an ASA5505 to another firewall you will need to know the following things.

1.      The network address the ASA
2.      The network address behind the Peer Firewall
3.      The IP address of the Peer Firewall
4.      The shared secret.
5.      The Encryption Protocol
6.      The Hashing Algorithm used.
7.      The Diffie Hellman Group

Note. Symantec Firewalls by default use 3DES, SHA1 and DH2 (the policy is called ike_default_crypto_strong)

For the purpose of this exercise Ill put in a 3DES, SHA1, DH2 VPN tunnel to 194.189.189.1 and the subnet at the other end of the VPN tunnel is 172.16.1.0 255.255.255.0

1.      Open the ASDM and select Wizards > VPN Wizard.
2.      Site to Site > Next.
3.      Enter the IP of the other firewall, the shared secret and > Next.
4.      Enter the encryption, hashing and Diffie Hellman properties. > Next.
5.      Enter the IPSec Encryption and Hashing Properties. > Next.
6.      Enter your network and the target network. > Next.
7.      Finish.

 



 

I am pretty confused...How does it know which dns servers to route the traffic to? Also I need static LAN IP addresses not DHCP?

>>How does it know which dns servers to route the traffic to

It does not? why should it? its a firewall - the traffic traversing it, is going from IP address A, to Destination IP address B, using port number C
Theres no Names in that equation?

The only thing that needs DNS is your network clients, on their PC's, and you have just said you are going to give them static IP addresses (IP address , subnet mask, default gateway, DNS servers)

I see! I understand now.

No Problem Glad to Help :)

Thanks!

ThanQ