Networks Training

You are here: Home / Cisco ASA Firewall Configuration / Cisco ASA 5506-X Configuration Tutorial – Guide

Cisco ASA 5506-X Configuration Tutorial – Guide

Written By

cisco asa 5506-x basic configuration

Throughout my professional career in networking I was lucky to work with all Cisco firewall models and therefore I have experienced the “evolution” of every firewall product developed by Cisco.

For the SMB/SOHO market, Cisco’s initial offering was the PIX 501, followed by the successful Cisco ASA 5505. The latter came to an End-of-Sale in 2014 and now the replacement low-end model is the new Cisco ASA 5506-X.

One of the most popular configuration guides on this blog is this basic ASA 5505 tutorial . Since these are useful posts for many people, I’ve decided to write also a configuration tutorial for the new ASA 5506-X.

I will cover two popular use cases of the 5506-X. One is a simple scenario of providing internet access to an internal LAN. The second case is more advanced and will cover two DMZ zones, one with a publicly accessible Web Server and one with a Guest WiFi Access Point.

Cisco ASA 5506-X Specs and Features

Before starting the discussion on how to configure the 5506, let’s first see the most important specs and features of this model.

  • It comes in two hardware “flavors”, the normal 5506-X and also the 5506W-X which has an integrated wireless access point (a/b/g/n bands).
  • It comes in two software license “flavors”, the Base License and the Security Plus License.
  • 8x1GE Network Interfaces (these are routed ports, not switch ports like the previous 5505 model).
  • 1 Management Interface (for the FirePOWER module).
  • Performance throughput varies according to what services are enabled. 300 Mbps for only firewall services, 250 Mbps for Application Visibility and Control (AVC), 125 Mbps for Application Control (AVC) and IPS/NGIPS, 100 Mbps for VPN throughput.
  • Max 20,000 concurrent sessions with the Base License or 50,000 with the Sec.Plus License.
  • 5 VLANs with Base License and 30 with the Security Plus License.
  • 10 IPSEC Site-to-Site VPNs (Base License) and 50 VPNs with Sec. Plus.
  • Unlimited internal hosts (even with the Base License).
  • Active/Standby high availability (only with Security Plus License).
  • Comes with FirePOWER Services (Application Visibility and Control – AVC) which supports more than 3000 application-layer and risk-based controls.
  • With extra subscription cost you can have also Next Generation IPS, Advanced Malware Protection and URL filtering.

Note Regarding Licenses and Subscriptions:

You should contact your local reseller and ask about License cost, “right-to-use” subscriptions needed etc. They made licensing too complex in my opinion so you must conduct your reseller for more details and to avoid any “surprises”. For example, Anyconnect needs extra license, IPS requires subscription etc.

How to connect the ASA 5506-X in your network for Initial Configuration

As you can see in the specs section above, there are 8x1G network interfaces and also one Management interface (Management 1/1) which belongs to the FirePOWER module. In order to deploy the device in your network and be able to start its initial configuration, connect it as following:

initial configuration of asa 5506

NOTES:

  • The Management 1/1 interface belongs to the separate FirePOWER module and NOT to the ASA.
  • DO NOT configure an IP address for the Management 1/1 interface inside the ASA configuration.
  • The default “inside” IP address for managing the ASA is 192.168.1.1 (interface GE1/2).
  • You must configure an IP address for Management1/1 in the 192.168.1.x subnet (e.g 192.168.1.2) inside the FirePOWER module (or via the ASDM GUI as we’ll see below).
  • You must connect both GE1/2 (inside) and Management1/1 interfaces on the same Layer2 LAN switch.
  • The outside interface (GE1/1) must be connected to the WAN (ISP) device and will receive IP address dynamically by default (via DHCP).
  • The quickest way to manage initially the device is using ASDM. Launch a web browser on your Management PC and go to https://192.168.1.1/admin. Select “Startup Wizard”, leave username/password fields empty and hit OK.
  • When the wizard takes you to the FirePOWER network settings, enter IP address 192.168.1.2, Mask 255.255.255.0 and Gateway 192.168.1.1 (see below).
MORE READING:  Configuring AAA Accounting on Cisco ASA Firewall

firepower-initial-ip

 

  • After you finish the above, quit the ASDM application and then relaunch it. This time you will see new FirePOWER tabs on the GUI home page which means you can now configure also FirePOWER settings in addition to ASA settings.

ASA 5506-X Basic Configuration Tutorial

The ASA 5506-X has a default configuration out-of-the-box. This default configuration has the following characteristics:

  • Internal LAN: 192.168.1.0/24
  • Internal LAN can access the Internet.
  • The WAN (outside) interface (GE1/1) is configured to receive IP address from DHCP.
  • The LAN (inside) interface (GE1/2) has IP address 192.168.1.1
  • DHCP is enabled for providing IP address to internal hosts.

In this section we will describe how to change this default configuration to suit your network topology. We assume that you already have network connectivity (or console connectivity) to the device so that you can start configuring with Command Line Interface (CLI).

This is our network topology for the basic configuration.

basic configuration tutorial asa 5506-x

  • Internal user LAN: 10.1.1.0/24
  • ASA inside IP: 10.1.1.1
  • ASA outside IP (static): 50.1.1.1
  • NAT: Dynamic overload (PAT) using the outside interface.

Step 1: Configure the Internal LAN interface

interface GigabitEthernet1/2
  description LAN
  nameif inside
  security-level 100   <- Security level 100 means it’s the most trusted interface
  ip address 10.1.1.1 255.255.255.0
  no shut

Step 2: Configure the Outside WAN interface

interface GigabitEthernet1/1
  description WAN
   nameif outside
   security-level 0  <- Security level 0 means it’s the least trusted interface
   ip address 50.1.1.1 255.255.255.0 <- Assume we have a static public IP from the ISP
   no shut

NOTE:

In case the outside interface will receive IP address dynamically via DHCP use this command:

ip address dhcp setroute

Step 3: Configure PAT using the outside interface

nat (inside,outside) source dynamic any interface  <- For traffic going from inside to outside use dynamic NAT on the interface (source IPs will be replaced by the outside interface IP)

Step 4: Configure default route towards the ISP (assume default gateway is 50.1.1.2)

route outside 0.0.0.0 0.0.0.0 50.1.1.2

OPTIONAL STEPS (But Useful)

Step 5: Assign IP addresses via DHCP to internal hosts

You can configure the ASA to work as DHCP server and assign IP addresses dynamically to internal hosts.

dhcpd address 10.1.1.10-10.1.1.100 inside   <- ASA will assign IPs between 10.1.1.10-100
dhcpd dns 208.67.220.220 208.67.222.222  <- ASA will assign DNS servers (these are the opendns by the way)
dhcpd enable inside

Step 6: Enable SSH access for management

hostname ASA5506
crypto key generate rsa modulus 1024
ssh 10.1.1.5 255.255.255.255 inside   <- Allow SSH access only from inside host 10.1.1.5
aaa authentication ssh console LOCAL <- Enable local authentication for SSH
username admin password [STRONGPASS] privilege 15
enable password Gh4w7$-s39fg#(!

Step 7: Apply useful ACL on outside

I usually apply the following ACL on the outside interface. It has two purposes: First is to allow ICMP reply packets to come back in (when pinging from inside to outside) and second purpose is to log any denied packets hitting the firewall from outside (for alert and security purposes).

access-list OUTSIDE-IN extended permit icmp any any echo-reply
access-list OUTSIDE-IN extended deny ip any any log
access-group OUTSIDE-IN in interface outside

The above concludes the basic configuration of the ASA 5506-X. Next we will see a more advanced scenario with web server and guest WiFi in two DMZ zones.

ASA 5506-X Configuration with two DMZ Networks

This is also a popular scenario found in many corporate networks. We have two DMZ segments (DMZ1 and DMZ2) which accommodate a Web Server (DMZ1) and Guest WiFi Access Point (DMZ2). Of course, there is also the “inside” zone which hosts the internal users and also the “outside” zone connected to Internet.

MORE READING:  Cisco ASA Policy Based Routing (PBR) Configuration

Have a look at the diagram below for better illustrating the use case we will discuss.

asa 5506-x dmz configuration

Network Requirements:

  • LAN will be able to access the Internet, DMZ1 and DMZ2.
  • DMZ1 will be able to access the Internet but not the inside zone.
  • DMZ2 will be able to access the Internet but not the inside zone.
  • The Guest WiFi Access Point will assign IPs to wireless clients in the range 192.168.20.0/24 and will provide Internet access to these clients.
  • The Web Server (192.168.10.10) will be accessible from the Internet at port 80.
  • Assume that we have only 1 public IP address assigned from our ISP (static IP). This is the IP address configured on the ASA outside interface (50.1.1.1). Therefore, the Web Server will be accessible using this static public IP using “port redirection”. Traffic from Internet hitting the outside interface IP (50.1.1.1) on port 80 will be redirected to the Web Server private IP 192.168.10.10

Configuration

Let’s now see the configuration of the scenario above:

Step 1: Configure the Interfaces

interface GigabitEthernet1/2
  description LAN
  nameif inside
  security-level 100   <- Security level 100 means the most trusted interface
  ip address 10.1.1.1 255.255.255.0
  no shut

interface GigabitEthernet1/1
  description WAN
   nameif outside
   security-level 0  <- Security level 0 means the least trusted interface
   ip address 50.1.1.1 255.255.255.0
   no shut

interface GigabitEthernet1/3
  description Web Server DMZ1
   nameif DMZ1
   security-level 50  <- Choose Security level between 1-99
   ip address 192.168.10.1 255.255.255.0
   no shut

interface GigabitEthernet1/4
  description WiFi DMZ2
   nameif DMZ2
   security-level 40  <- Choose Security level between 1-99
   ip address 192.168.20.1 255.255.255.0
   no shut

Step 2: Configure NAT Overload

nat (inside,outside) after-auto source dynamic any interface
nat (inside,DMZ1) after-auto source dynamic any interface
nat (inside,DMZ2) after-auto source dynamic any interface
nat (DMZ1,outside) after-auto source dynamic any interface
nat (DMZ2,outside) after-auto source dynamic any interface

The above configures NAT overload (PAT) in order to have traffic flow from higher security levels to lower security levels.

This means that the “inside” network will have access to all other networks (DMZ1, DMZ2, outside). Also, DMZ1 (security level 50) will have access to “outside” and to DMZ2 (security level 40). Finally, DMZ2 will have access only to “outside”.

Step 3: Configure static NAT (port redirection) and ACL to access Web Server

object network WEB_SRV   <- See NOTE1
  host 192.168.10.10
  nat (DMZ1,outside) static interface service tcp www www

access-list OUT_IN extended permit tcp any host 192.168.10.10 eq www  <- See NOTE2
access-group OUT_IN in interface outside

NOTE1:

The above static NAT configures PORT Redirection for host 192.168.10.10 (Web Server) using the outside interface. Any traffic hitting the outside interface (50.1.1.1) on port 80 will be redirected to 192.168.10.10 on port 80.

If you have a dedicated static IP for the Web Server (assume 50.1.1.3 is dedicated for the Web Server), the static NAT will be:

object network WEB_SRV
  host 192.168.10.10
  nat (DMZ1,outside) static 50.1.1.3 service tcp www www

NOTE2:

The static NAT configured before is not enough to allow access to the Web Server. An ACL is also needed on the outside interface. The above ACL allows TCP port 80 from “any” source to access the Web Server IP (192.168.10.10).

Step 4: Configure default route towards the ISP (assume default gateway is 50.1.1.2)

route outside 0.0.0.0 0.0.0.0 50.1.1.2

The above configuration shows the minimum essential commands needed to satisfy our network requirements. You need of course to implement more features such as SSH access, enable logging, time settings, FirePOWER configuration etc but these are not in the scope of this article.

I hope you will find the above helpful for configuring the new ASA 5506-X firewall. For any questions, let me know in the comments below.

DOWNLOAD TUTORIAL HERE

Related Posts

Filed Under: Cisco ASA Firewall Configuration

Download Free Cisco Commands Cheat Sheets

Enter your Email below to Download our Free Cisco Commands Cheat Sheets for Routers, Switches and ASA Firewalls.

We use Elastic Email as our marketing automation service. By submitting this form, you agree that the information you provide will be transferred to Elastic Email for processing in accordance with their Terms of Use and Privacy Policy. Also, you allow me to send you informational and marketing emails from time-to-time.

About Harris Andrea

Harris Andrea is an Engineer with more than two decades of professional experience in the fields of TCP/IP Networks, Information Security and I.T. Over the years he has acquired several professional certifications such as CCNA, CCNP, CEH, ECSA etc.

He is a self-published author of two books ("Cisco ASA Firewall Fundamentals" and "Cisco VPN Configuration Guide") which are available at Amazon and on this website as well.

Comments

  1. ihsan says

    Dear sir,
    its very great and useful for me,,,,thank you very much,
    in addition, i would like to ask about my scenario, i have LAN, WIFI network, Internal Software Management system, so i would like to restrict every user from connectivity on VPN, like Hotspot shield etc.

    Please, send me that configuration,
    My email id is; [email protected]

    Ihsan

  4. Harris Andrea says

    Ihsan,

    You have two ways to restrict users to that VPN. First is by using FirePOWER Web filtering services to block by domain and the second way is to find all the IPs of that service and block them manually.

    Harris

  5. Paul J. Belter says

    Hello Harris,
    Nice to see that your still providing us with great advice and guidance. I have been and will remain a follower. I recently had to purchase the ASA 5506-X. I did have some problems with registration and activation of the FirePower module. Mainly because the help links provided by Cisco at the time, were pointing to some old ASA 5505 instructions. LOL, I believe they have since fixed this. I recommend any IT/IS administrator professional or novice utilize your works. Very organized, very informative.
    Thanks,

  7. Harris Andrea says

    Paul,

    Thanks a lot for your kind words. I’m glad you like my tutorials.

    Yeah, Cisco is a little bit slow in “syncing” their huge documentation with every new product they release.

    Harris

  9. Demetrius Johnson says

    Awesome article AH I own a 5506 and 5512-X they are both running great I haven’t touch them in about year and have been wanting to wipe then both on rebuild configs from scratch but got a little rusty knowledge wise so thanks for the refresher. I also think i’m a little behind for far as any revisions of your publications I’ll email you could you check it out and bring me up to date?

  10. Harris Andrea says

    Demetrius,

    Please send me an email about up-to-date publications (e.g which email address have you used to purchase, what book edition you have etc).

    Harris

  11. Kevyn says

    Thank you so much man, this is great stuff, I am currently studying CCNA Security. I find this tutorial so helpeful in designing security architecture. Keep the fire burning man.

  15. Lors Les says

    Dear Harris Andrea ,

    I would like to prepare for CCNA Security. please kindly give me some advice to get this CCNAS.

    Thank,les

  16. Harris Andrea says

    Lors,

    I suggest first to study from an official Cisco press book and also have a look at a video training from Udemy for an overall study preparation.

    Harris

  17. Mario says

    Have a client that has Internet access through cable co. DHCP, no static IP

    What is the route outside for dhcp on the WAN?

    route outside 0.0.0.0 0.0.0.0 ?

    Thank you.

    Great article, well written, well formatted.

  18. Harris Andrea says

    Mario,

    On the WAN interface of the ASA configure the following:

    ip address dhcp setroute

    If you configure the above you must not configure default route command.

    Harris

  19. Kevynjr says

    Hi Harris,

    You tutorials makes my life easier when it comes to understanding and configuring security devices like Cisco ASA. Your examples are easy to follow and understand, you are always on point with your explanations.
    These tutorials are helping me with my CCNP Security studies and I hope by year end 2017 I would be NP SECURITY CERTIFIED.

    Looking forward to seeing more of these tutorials!

    You’ve know idea how many lives you’re touching with this so easy to understand stuff! You’re a star and you’ll always be.

    NEED I SAY MORE!!!

    Kevynjr

  20. Harris Andrea says

    Kevyn,

    I’m speechless with your kind words. THANK YOU SO MUCH.

    I’m glad that I’m helping people as much as I can. Good luck with your certification studies.

    Harris

  21. Kit says

    Hi,
    Thank you for your tutorial

    Would you be able to assist me with the below query. I have a new MPLS line going in and a current Broadband line, currently using a ASA5505 and now moving to a ASA5506

    1 / I need to setup a MPLS link
    2/ a Fail over
    3/ Site to site VPN utalizing the MPLS link

    this is a huge config, so i understand i may not be at the right place.

    Any help would be great.

    Thank you

    MPLS > ASA > GIG 1/1
    BOROADBAND > ASA GIG 1/3
    INSIDE INTERFACE > GIG 1/2

  22. Harris Andrea says

    So if I understand correctly you need to access another site via VPN through the MPLS link and then have internet access via the Broadband link?

  23. Kit says

    Apologies for not being clear, I think i have sorted it. Going to test this this evening.

    I wanted a MPLS (primary circuit) &a internet backup site to site VPN

    route MPLS 192.168.0.0 255.255.254.0 172.31.0.1 1 track 20 – for example –
    1 being the metric and i have setup another static route for the broadband connection with a metric of 10, so taking the preferred MPLS route first.

  25. kETAN says

    Ok so i’m struggling with the ASA5506 and trying to mirror the ASA 5505

    My inside interface 1/2.2 I wanted to configure the same
    So the ASA 5505 -1.2 inside interface had a IP address of 192.168.15.1 /24

    When I do this, i loose connection to ASDM and ping. This is because of the BVI
    If i remove the IP address I just run into issues

    I have now configured the IP address as DHCP (AS A TEST) and seeing if this works. (will keep you posted)

    Question is
    How do i configure a ip address of 192.168.15.1 /24 on gig 1/2.1 (sub interface) without loosing ASDM access.

    ASA Version 9.7(1)4
    !
    hostname USA-NY-Firewall
    enable password $sha512$5000$AKKrWM6EJbPoIessepC8Ng==$4x/eMTT6b5nMPrR1nWPE8A== pbkdf2
    names
    name 192.168.15.0 Lan_NewYork
    name 209.156.159.112 FW_NewYork
    name 63.138.170.146 FW_Boston
    name 192.168.100.0 Lan_Boston
    name 192.168.200.0 Lan_EvedenHQ
    name 82.20.76.241 FW_EvedenHQ
    name 192.168.15.60 video_Conference-Unit_192.168.15.60-NAT description vc unit tcp
    name 209.156.159.118 vc_outside-ip

    !
    interface GigabitEthernet1/1
    no nameif
    no security-level
    no ip address
    !
    interface GigabitEthernet1/1.3
    vlan 3
    nameif mpls
    security-level 90
    ip address 192.168.58.1 255.255.255.0
    !
    interface GigabitEthernet1/2
    no nameif
    no security-level
    no ip address
    !
    interface GigabitEthernet1/2.1
    vlan 1
    nameif inside
    security-level 100
    ip address dhcp
    !
    interface GigabitEthernet1/3
    no nameif
    no security-level
    no ip address
    !
    interface GigabitEthernet1/3.2
    vlan 2
    nameif Outside
    security-level 0
    ip address 209.x.x.x 255.255.255.248
    !
    interface GigabitEthernet1/4
    bridge-group 1
    nameif inside4
    security-level 100
    !
    interface GigabitEthernet1/5
    shutdown
    bridge-group 1
    no nameif
    no security-level
    !
    interface GigabitEthernet1/6
    shutdown
    bridge-group 1
    no nameif
    no security-level
    !
    interface GigabitEthernet1/7
    shutdown
    bridge-group 1
    no nameif
    no security-level
    !
    interface GigabitEthernet1/8
    shutdown
    bridge-group 1
    no nameif
    no security-level
    !
    interface Management1/1
    management-only
    no nameif
    no security-level
    no ip address
    !
    interface BVI1
    nameif inside-2
    security-level 100
    ip address 192.168.15.1 255.255.255.0
    !
    ftp mode passive
    clock timezone EST -5
    clock summer-time EDT recurring
    same-security-traffic permit inter-interface
    object network obj_any1
    subnet 0.0.0.0 0.0.0.0
    object network obj_any2
    subnet 0.0.0.0 0.0.0.0
    object network obj_any3
    subnet 0.0.0.0 0.0.0.0
    object network obj_any4
    subnet 0.0.0.0 0.0.0.0
    object network obj_any5
    subnet 0.0.0.0 0.0.0.0
    object network obj_any6
    subnet 0.0.0.0 0.0.0.0
    object network obj_any7
    subnet 0.0.0.0 0.0.0.0
    object-group service Outbound_Basic_Browser tcp
    port-object eq ftp
    port-object eq h323
    port-object eq www
    port-object eq https
    port-object eq ldap
    port-object eq pop3
    port-object eq ssh
    port-object eq telnet
    object-group service svc_tcpudp_Video-Conf
    service-object tcp destination eq 1503
    service-object tcp destination eq 1731
    service-object tcp destination range 3230 3239
    service-object tcp destination eq 3603
    service-object tcp destination range sip 5061
    service-object tcp destination range 60000 64449
    service-object tcp destination eq h323
    service-object tcp destination eq ldap
    service-object udp destination range 1718 1719
    service-object udp destination range 60000 64449
    service-object udp destination eq ntp
    service-object udp destination eq sip
    service-object udp destination range 3230 3253
    object-group service DM_INLINE_SERVICE_2
    group-object svc_tcpudp_Video-Conf
    service-object tcp destination eq www
    service-object tcp destination eq https
    object-group service Blocked_Ports
    description Itunes
    service-object tcp destination range 16384 16386
    service-object tcp destination eq 5223
    object-group service Outbound_Basic-Browser
    service-object tcp destination eq 81
    service-object tcp destination eq ftp
    service-object tcp destination eq www
    service-object tcp destination eq https
    service-object tcp destination eq telnet
    object-group service Outbound_Web
    service-object esp
    service-object ah
    service-object tcp-udp destination eq 1433
    service-object tcp destination eq 2083
    service-object tcp destination eq 3011
    service-object tcp destination eq 3389
    service-object tcp destination eq 4401
    service-object tcp destination eq 4500
    service-object tcp destination eq 500
    service-object tcp destination eq 5494
    service-object tcp destination eq 5900
    service-object tcp destination eq 7777
    service-object tcp destination eq 8001
    service-object tcp destination eq 8080
    service-object tcp destination eq 8081
    service-object tcp destination eq 8082
    service-object tcp destination eq 85
    service-object tcp destination eq 9001
    service-object tcp destination eq 9002
    service-object tcp destination eq finger
    service-object tcp destination eq ftp
    service-object tcp destination eq ftp-data
    service-object tcp destination eq h323
    service-object tcp destination eq pop3
    service-object tcp destination eq ssh
    service-object udp destination eq 53345
    service-object udp destination eq isakmp
    service-object udp destination eq netbios-ns
    object-group service DM_INLINE_SERVICE_1
    group-object Outbound_Basic-Browser
    group-object Outbound_Web
    object-group service Inbound_Basicbrowser
    service-object tcp destination eq www
    service-object tcp destination eq https
    object-group service Itunes tcp
    port-object eq 5223
    object-group service DM_INLINE_TCP_1 tcp
    port-object eq imap4
    port-object eq pop3
    port-object eq smtp
    port-object eq 993
    object-group service DM_INLINE_TCP_2 tcp
    port-object eq 993
    port-object eq imap4
    port-object eq pop3
    port-object eq smtp
    access-list outside_access_in extended deny ip any any log
    access-list outside_access_in extended permit icmp any any echo-reply
    access-list global_mpc extended permit tcp any any
    !
    tcp-map allow-probes
    tcp-options range 76 78 allow
    no ttl-evasion-protection
    !
    pager lines 24
    logging asdm informational
    mtu mpls 1500
    mtu inside 1500
    mtu Outside 1500
    mtu inside4 1500
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    no arp permit-nonconnected
    arp rate-limit 16384
    route Outside 0.0.0.0 0.0.0.0 209.x.x.x 1
    route Outside FW_Boston 255.255.255.255 209.x.x.x 1
    route Outside FW_EvedenHQ 255.255.255.255 209.X.X.X 1
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    timeout conn-holddown 0:00:15
    timeout igp stale-route 0:01:10
    user-identity default-domain LOCAL
    aaa authentication ssh console LOCAL
    aaa authentication enable console LOCAL
    aaa authentication serial console LOCAL
    aaa authentication telnet console LOCAL
    aaa authentication http console LOCAL
    http server enable
    http Lan_NewYork 255.255.255.0 inside
    http Lan_Boston 255.255.255.0 inside
    http FW_Boston 255.255.255.255 Outside
    http 0.0.0.0 0.0.0.0 inside
    http Lan_EvedenHQ 255.255.255.0 inside
    http FW_EvedenHQ 255.255.255.255 Outside
    http Lan_NewYork 255.255.255.255 Outside
    no snmp-server location
    no snmp-server contact
    service sw-reset-button
    crypto ipsec security-association pmtu-aging infinite
    crypto ca trustpool policy
    telnet timeout 5
    ssh stricthostkeycheck
    ssh Lan_NewYork 255.255.255.0 inside
    ssh timeout 5
    ssh key-exchange group dh-group1-sha1
    console timeout 0

    dhcpd auto_config mpls
    !
    dhcpd dns 192.168.100.70 interface inside
    !
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    dynamic-access-policy-record DfltAccessPolicy
    username admin password $sha512$5000$pg2QJKqkVS4QYZoLxEzDCw==$xn8z3Z+KPgEZDvpS9G5r4A== pbkdf2 privilege 15
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum client auto
    message-length maximum 512
    no tcp-inspection
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
    !
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    Cryptochecksum:fd19fb2a6628a2c5c393561149fa490c
    : end

  26. Harris Andrea says

    try to configure static IP on the inside interface in the same subnet as your management PC

  27. Ketan says

    Ok, so i have completed wiped the config of the ASA 5506
    I still cannot get access to the ASDM via the inside interface.

    When i enable the BVI 1 interface this works .. Anyone got any ideas. I have pasted the base config

    ASA Version 9.7(1)4
    !
    hostname ciscoasa
    enable password $sha512$5000$c6AXuFTE34BuFGjhv1fn6w==$PD31+ZXnbtYnJefJS8w3oA== pbkdf2
    names

    !
    interface GigabitEthernet1/1
    nameif outside
    security-level 0
    ip address dhcp setroute
    !
    interface GigabitEthernet1/2
    nameif inside
    security-level 100
    ip address 192.168.15.1 255.255.255.0
    !
    interface GigabitEthernet1/3
    bridge-group 1
    nameif inside_2
    security-level 100
    !
    interface GigabitEthernet1/4
    bridge-group 1
    nameif inside_3
    security-level 100
    !
    interface Management1/1
    management-only
    no nameif
    no security-level
    no ip address
    !
    ftp mode passive
    same-security-traffic permit inter-interface
    object network obj_any1
    subnet 0.0.0.0 0.0.0.0
    pager lines 24
    logging asdm informational
    mtu outside 1500
    mtu inside 1500
    mtu inside_2 1500
    mtu inside_3 1500
    mtu inside_4 1500
    mtu inside_5 1500
    mtu inside_6 1500
    mtu inside_7 1500
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    no arp permit-nonconnected
    arp rate-limit 16384
    !
    object network obj_any1
    nat (inside,outside) dynamic interface
    object network obj_any2
    nat (inside_2,outside) dynamic interface
    object network obj_any3
    nat (inside_3,outside) dynamic interface
    object network obj_any4
    nat (inside_4,outside) dynamic interface
    object network obj_any5
    nat (inside_5,outside) dynamic interface
    object network obj_any6
    nat (inside_6,outside) dynamic interface
    object network obj_any7
    nat (inside_7,outside) dynamic interface
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    timeout conn-holddown 0:00:15
    timeout igp stale-route 0:01:10
    user-identity default-domain LOCAL
    http server enable
    http 192.168.15.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    service sw-reset-button
    crypto ipsec security-association pmtu-aging infinite
    crypto ca trustpool policy
    telnet timeout 5
    ssh stricthostkeycheck
    ssh timeout 5
    ssh key-exchange group dh-group1-sha1
    console timeout 0

    dhcpd auto_config outside
    !
    dhcpd address 192.168.15.3-192.168.15.254 inside
    dhcpd enable inside
    !
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    dynamic-access-policy-record DfltAccessPolicy
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum client auto
    message-length maximum 512
    no tcp-inspection
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
    !
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    Cryptochecksum:bdfe9c97db8d25ccb3c554d7e5bfab92
    : end

  28. Harris Andrea says

    connect a PC directly to port Gig1/2 and configure an IP address in subnet 192.168.15.x Then make sure that you can ping the inside of ASA. This should give you ASDM access as well

  29. Ray says

    good day
    Make the connection as it is but from my computer in the web browser does not let me access the configuration: https // 192.168.1.1 / admin

    I have to do some more process to access … thanks

  34. Richard says

    Im having issues with being able to connect to hosts inside my VPN once connected with anywhere client.

    Im hoping you can give me some assistance it would be greatly appreciated.

    I have a 5506X ASA
    Inside address is 192.168.2.0
    VPN pool is 192.168.3.0

    Im hoping I can send you my config thank you

  36. Richard Doy says

    Yes 192.168.2
    MY VPN pool is 192.168.3.5-10
    When I connected I can ping myself when I SSH to the ASA but the client cannot ping Ping ASA or any other device, I believe its a batting issue

  38. Harris Andrea says

    please contact me on the contact page to give you instructions about sending me the config to have a look.

  41. BENEDICT AGYEMANG AGYEMANG says

    Hi Harris,
    Thanks for your great insights on the ASA firewall and all the wonderful help. I do have have two seperate networks a Production ASA in HA mode and a Lab ASA also in HA mode. The firewall on both sides are not interconnected together based on security reasons. We just have an internal discussion now and the engineering team wants to connect the two together so that we can allow some of the production subnet access to some vmware machines on the LAB side. I will be glad if you can guide me with the best design approach and the best security to achieve this scenario.
    Kind Regards
    Ben

  42. Harris Andrea says

    Its ok to connect the two networks provided you follow strictly a whitelist approach with regards to traffic between the two networks. From the LAB network you must allow only the specific IPs and specific ports that are required for the communication. Nothing else. LAB networks are risky because they have machines which are probably un-patched and not configured with high security in mind.

  43. Benedict Agyemang says

    Hi Harris,
    Thanks very much for your wonderful opinion and in the future I hope you build this kind of cases and the best design and configuration to approach this kind of scenarios.
    Kind Regards
    Ben

  44. John says

    Hi for the ASA 5506-X Basic Configuration Tutorial, if the WAN IP is dynamic, how should we go about configuring the default route to the internet?

  45. Harris Andrea says

    John,

    If you receive dynamic IP address on the WAN (i.e via DHCP) then use the following command under the WAN interface:

    ip address dhcp setroute

    The above will set the default route as received from the DHCP service.

    Harris

  46. John says

    Hi Harris,

    Thanks for your speedy replies.

    I have another quesiton. In the 2nd example you mentioned DMZ1 can access DMZ2, so why isnt a NAT configured for this?

    nat (inside,outside) after-auto source dynamic any interface
    nat (inside,DMZ1) after-auto source dynamic any interface
    nat (inside,DMZ2) after-auto source dynamic any interface
    nat (DMZ1,outside) after-auto source dynamic any interface
    nat (DMZ2,outside) after-auto source dynamic any interface

  47. Harris Andrea says

    John,
    You are right that I have not included a NAT statement for access from DMZ1 to DMZ2. This is because in the specific scenario above, DMZ1 has a webserver and DMZ2 has a wifi access point so I assumed there is no need for the webserver to access the wifi lan.

    If you want that, you can configure NAT as below:

    nat (DMZ1,DMZ2) after-auto source dynamic any interface

  48. simone says

    Hi, I tried your second configurtion to access to webserver on another network but wont works, It runs for the first network ‘inside’, but deny all traffic on the network DMZ1. I hate 5506-x :| Also I need to inside and DMZ1 communicate between but nothing

  49. simone says

    sorry here my conf:

    :
    ASA Version 9.6(1)
    !
    hostname ASA-ECO
    domain-name ecomet.local
    enable password IxA55i/Br/B1ex6t encrypted
    passwd IxA55i/Br/B1ex6t encrypted
    names

    !
    interface GigabitEthernet1/1
    description outside
    nameif outside
    security-level 0
    ip address xxx 255.255.255.248
    !
    interface GigabitEthernet1/2
    nameif inside
    security-level 100
    ip address 192.168.0.3 255.255.255.0
    !
    interface GigabitEthernet1/3
    nameif DMZ1
    security-level 50
    ip address 10.0.0.7 255.255.255.0
    !
    interface GigabitEthernet1/4
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface GigabitEthernet1/5
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface GigabitEthernet1/6
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface GigabitEthernet1/7
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface GigabitEthernet1/8
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Management1/1
    management-only
    no nameif
    no security-level
    no ip address
    !
    ftp mode passive
    dns server-group DefaultDNS
    domain-name ecomet.local
    same-security-traffic permit intra-interface
    object network LanInterna
    subnet 192.168.0.0 255.255.255.0
    object network MailServer
    host 192.168.0.4
    object network WebServer
    host 192.168.0.2
    object network As400
    host 10.0.0.6
    object network Xpserver
    host 192.168.0.2
    object network NTSERVER
    host 10.0.0.2
    access-list OUT_ACL extended permit tcp any object MailServer eq pptp
    access-list OUT_ACL extended permit tcp any object MailServer eq imap4
    access-list OUT_ACL extended permit tcp any object MailServer eq 993
    access-list OUT_ACL extended permit icmp any any
    access-list OUT_ACL extended permit gre any any
    access-list OUT_ACL extended permit tcp any object MailServer eq 43389
    access-list OUT_ACL extended permit tcp any object MailServer eq https
    access-list OUT_ACL extended permit tcp any object MailServer eq pop3
    access-list OUT_ACL extended permit tcp any object MailServer eq smtp
    access-list OUT_ACL extended permit tcp any host 192.168.0.249 eq 3389
    access-list OUT_ACL extended permit tcp any object WebServer eq www
    access-list OUT_ACL extended permit tcp any object As400 eq telnet
    access-list OUT_ACL extended permit tcp any object As400 eq 8470
    access-list OUT_ACL extended permit tcp any object As400 eq 8476
    access-list OUT_ACL extended permit tcp any object As400 eq 446
    access-list OUT_ACL extended permit tcp any object As400 eq 447
    access-list OUT_ACL extended permit tcp any object As400 eq 448
    access-list OUT_ACL extended permit tcp any object As400 eq 449
    access-list OUT_ACL extended permit tcp any object Xpserver eq 43389
    access-list OUT_ACL extended permit tcp any object NTSERVER
    access-list OUT_ACL extended permit tcp any host 10.0.0.2
    pager lines 24
    logging asdm informational
    mtu outside 1500
    mtu inside 1500
    mtu DMZ1 1500
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    no arp permit-nonconnected
    !
    object network LanInterna
    nat (inside,outside) dynamic xxx dns
    object network MailServer
    nat (inside,outside) static xxx
    object network WebServer
    nat (inside,outside) static xxx service tcp www www
    object network Xpserver
    nat (inside,outside) static xxx service tcp 43389 43389
    object network NTSERVER
    nat (DMZ1,outside) static xxx service tcp https https
    !
    nat (inside,outside) after-auto source dynamic any interface
    nat (inside,DMZ1) after-auto source dynamic any interface
    nat (DMZ1,outside) after-auto source dynamic any interface
    access-group OUT_ACL in interface outside
    route outside 0.0.0.0 0.0.0.0 xxx 1
    route inside 10.0.0.0 255.255.255.0 192.168.0.94 1
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    user-identity default-domain LOCAL
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    http 192.168.0.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    service sw-reset-button
    crypto ipsec security-association pmtu-aging infinite
    crypto ca trustpool policy
    telnet 0.0.0.0 0.0.0.0 inside
    telnet timeout 5
    no ssh stricthostkeycheck
    ssh timeout 5
    ssh key-exchange group dh-group1-sha1
    console timeout 0

    dhcpd auto_config outside
    !
    dynamic-access-policy-record DfltAccessPolicy
    username admin password Ixxx encrypted privilege 15
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum client auto
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
    !
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    Cryptochecksum:xxx
    : endtside

  50. Harris Andrea says

    On DMZ1 network (10.0.0.0) you only have as400 and NTserver. The webserver you mention is in the inside network not in DMZ1. Please clarify…

  51. simone says

    My fault in doing the tests certainly I messed up the configuration, As400 and Ntserver must stay in DMZ1 assigned to 10.0.0.7 (10.0.0.0 network ) and in inside I need to have 192.168.0.0 network and I need that two networks talks each other beyond that map 10.0.0.2 and 10.0.0.6 on DMZ1 to outside:
    Mailserver: 192.168.0.4
    Xpserver: 192.168.0.2
    As400: 10.0.0.6
    Ntserver:10.0.0.2
    I suppose I need to create an interface DMZ1 to do this, as first I tryed with only one interface inside 192.168.0.0 and define static inside route to route 10.0.0.0 traffic but not works as PIX506, 5506-X block all my traffic between inside and static route or DMZ1, I can only ping but not other services

  52. Emma says

    i would like you to share a configuration of ASA firewall behind an ISP modem and front of a LAN router, or inbox me the pdf of the configuration to my mail

  53. Kjetil says

    Thank you for the thorough instructions on setting up the ASA 5506-X.
    Now are the box is readily available for “reuse” as a lerning and home router/firewall I hope you can if possible do a refresh of the instructions with the new version 9.16 that is the final supported version for the ASA 5506-X.
    The change Cisco did in the 6.7 version of the software and later ending FirePOWER in 9.9 changes the way the ports are set up. I believe for you it is a small task to change your instructions to fit.
    Thank you.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

About Networks Training

We Provide Technical Tutorials and Configuration Examples about TCP/IP Networks with focus on Cisco Products and Technologies. This blog entails my own thoughts and ideas, which may not represent the thoughts of Cisco Systems Inc. This blog is NOT affiliated or endorsed by Cisco Systems Inc. All product names, logos and artwork are copyrights/trademarks of their respective owners.

Amazon Disclosure

As an Amazon Associate I earn from qualifying purchases.
Amazon and the Amazon logo are trademarks of Amazon.com, Inc. or its affiliates.

BLOGROLL

Tech21Century
Firewall.cx