Networks Training

How to Configure a Cisco ASA 5510 Firewall – Basic Configuration Tutorial

This Cisco ASA Tutorial gets back to the basics regarding Cisco ASA firewalls. I’m offering you here a basic configuration tutorial for the Cisco ASA 5510 security appliance but the configuration applies also to the other ASA models as well (see also this Cisco ASA 5505 Basic Configuration).

The 5510 ASA device is the second model in the ASA series (ASA 5505, 5510, 5520 etc) and is fairly popular since it is intended for small to medium enterprises. Like the smallest ASA 5505 model, the 5510 comes with two license options: The Base license and the Security Plus license. The second one (security plus) provides some performance and hardware enhancements over the base license, such as 130,000 Maximum firewall connections (instead of 50,000), 100 Maximum VLANs (instead of 50), Failover Redundancy, etc. Also, the security plus license enables two of the five firewall network ports to work as 10/100/1000 instead of only 10/100.

Next we will see a simple Internet Access scenario which will help us to understand the basic steps needed to setup an ASA 5510. Assume that we are assigned a static public IP address 100.100.100.1 from our ISP. Also, the internal LAN network belongs to subnet 192.168.10.0/24. Interface Ethernet0/0 will be connected to the outside (towards the ISP), and Ethernet0/1 will be connected to the Inside LAN switch. Refer to the diagram below for our example scenario.

MORE READING:  IP Phones behind a Cisco ASA 5505 Firewall

The firewall will be configured to supply IP addresses dynamically (using DHCP) to the internal hosts. All outbound communication (from inside to outside) will be translated using Port Address Translation (PAT) on the outside public interface. Let’s see a snippet of the required configuration steps for this basic scenario:

Step1: Configure a privileged level password (enable password)

By default there is no password for accessing the ASA firewall, so the first step before doing anything else is to configure a privileged level password, which will be needed to allow subsequent access to the appliance. Configure this under Configuration Mode:

ASA5510(config)# enable password mysecretpassword

Step2: Configure the public outside interface

ASA5510(config)# interface Ethernet0/0
ASA5510(config-if)# nameif outside
ASA5510(config-if)# security-level 0
ASA5510(config-if)# ip address 100.100.100.1 255.255.255.252
ASA5510(config-if)# no shut

Step3: Configure the trusted internal interface

ASA5510(config)# interface Ethernet0/1
ASA5510(config-if)# nameif inside
ASA5510(config-if)# security-level 100
ASA5510(config-if)# ip address 192.168.10.1 255.255.255.0
ASA5510(config-if)# no shut

Step 4: Configure PAT on the outside interface

ASA5510(config)# global (outside) 1 interface
ASA5510(config)# nat (inside) 1 0.0.0.0 0.0.0.0

UPDATE for ASA Version 8.3 and later (including ASA 9.x)

From March 2010, Cisco announced the new Cisco ASA software version 8.3. This version introduced several important configuration changes, especially on the NAT/PAT mechanism. The “global” command is no longer supported. NAT (static and dynamic) and PAT are configured under network objects. The PAT configuration below is for ASA 8.3 and later:

MORE READING:  Cisco ASA Firewall Fundamentals ebook : Rapidshare and Torrent Free Download

object network obj_any
subnet 0.0.0.0 0.0.0.0
nat (inside,outside) dynamic interface

Step 5: Configure Default Route towards the ISP (assume default gateway is 100.100.100.2)

ASA5510(config)# route outside 0.0.0.0 0.0.0.0 100.100.100.2 1

Step 6: Configure the firewall to assign internal IP and DNS address to hosts using DHCP

ASA5510(config)# dhcpd dns 200.200.200.10
ASA5510(config)# dhcpd address 192.168.10.10-192.168.10.200 inside
ASA5510(config)# dhcpd enable inside

The above basic configuration is just the beginning for making the appliance operational. There are many more configuration features that you need to implement to increase the security of your network, such as Static and Dynamic NAT, Access Control Lists to control traffic flow, DMZ zones, VPN etc. I just tried to offer you a starting point for a basic configuration from where you can build your knowledge further. For a more complete practical guide about Cisco ASA Firewall configuration I suggest you to read the “Cisco ASA Firewall Fundamentals – 3rd Edition” ebook at the link HERE.

Comments

  1. Maybe your NAT doesn’t work. Try to telnet from inside PC to 200.200.200.2 and observe the xlate translations to see if they work:

    show xlate

    With the above command you will see if the private PC IP 192.168.10.x is translated on the outside IP of ASA.

  2. Hi Guys,

    Hope you guys can assist me with this endeavour;

    on a CISCO 515E

    I want to set-up a backup Application Server, currently I want eth3 to be a backup of my eth0 for redundancy. I have two application servers (eth0) being the primary and eth3 (redundant), ofcourse I can’t assign an ip address (public) within the same range as eth0 but is there any way i could do what I plan to do using only a single CISCO ASA 515E?

    Any help will be appreciated.

  3. Ronel,

    As I understand you want to provide server redundancy. The best way would be to connect both on the same subnet (maybe on the switch where PIX eth0 is connected) and then create a cluster or some sort of server load-balancing or failover. The two servers must will be represented by virtual IP address (VIP) so the PIX will know one IP to reach the server cluster. This is the classical way most people are doing.

    Harris

  4. hey guys, i hope you will assist me and i am very desparate and i need your help urgently. i am a student and i specialise in networking. so i have a problem in configuring the switch using VLANS.

  7. Hi

    I got a fresh ASA 5540. And at first I just want to access this ASA from LAN . For this I only put an ip say 192.168.80.104 with security level of 100. and given route inside to 192.168.80.1 as a gateway router of 192.168.80.104 ip . But issue is I am not getting ping from 192.168.80.XX ip block .

    can u please help me out.

  8. If you have a PC connected to 192.168.80.x network and the inside interface of ASA is “no shut” then you should get ping replies if you ping the ASA IP

  9. Dear Sir,

    i have configured Cisco 5500 Firewall configuration, i have given ip address and every thing but after reboot the firewall, this total configuration is deleted. not save this configuration to Cisco 5500 Firewall, What is this problem, Could you please give suggestion to me.
    Thanking you sir.

  10. To save the configuration run the following command:

    “wr mem”

    This will save the current running configuration to flash memory so that when you reboot it will not be lost.

  11. Dear Sir,
    I do have ASA5525 Firewall with a version of 8.4 my Outside interface is connected to Edge External Switch and Inside Interface is connected to Internal Switch for my LAN network. My question is, i do have another device which Ratitan. This device where i can plug in my other devices such ASA, Servers, etc. I plug in this Ratitan device into Edge External Switch where the Outside Interface of my ASA Firewalll is connected. This devise is outside the firewall and i did assigned an External IP address. From my internal network i can able to access this public ip address of Ratitan but not from the outside. It used to work for what ever reason stop working when i did put this statement deny ip any any going inbound for my outside interface of my firewall. Not sure what stopping me for accessing from the outside. which this Ratitan device is not behind the Firewall.
    Is there away you can help me out on this and what am i doing wrong. Please advise. Many thanks.

  12. Sorry but I have no idea what is this Ratitan device you said. Also I didn’t understand the exact problem here. Please describe in more details.

    Thanks

    Harris

  13. On First boot
    Do copy run start
    reload
    then exit GNS.

    Start GNS after that save config always with copy run start

  14. Above configuration I have configured in firewall and I’m trying ping from to wan interface but getting RTO. Please suggest

  16. Hey guys…..I would really like to thank Networkstraining.com for helping me nail down this thing.
    At last my client is connected to the internet and happy.
    Cheers guys

  19. dear, i create the interface, hostname and password .please your suggestion requirement what thing i missing to confiuration cisco firewall ASA 5510 series

  20. someone help me i create the interface, hostname, password in cisoc firewall ASA 5510 series.what thing , i missing, please give me your opinion as soon as possible.

  21. If you follow the commands exactly as shown on the post above, you will have the ASA5510 running with its basic configuration.

Leave a Reply

Your email address will not be published. Required fields are marked *

About Networks Training

We Provide Technical Tutorials and Configuration Examples about TCP/IP Networks with focus on Cisco Products and Technologies. This blog entails my own thoughts and ideas, which may not represent the thoughts of Cisco Systems Inc. This blog is NOT affiliated or endorsed by Cisco Systems Inc. All product names, logos and artwork are copyrights/trademarks of their respective owners.

Suggested Cisco Training

CISCO CERTIFICATION TRAINING
CISCO CCNA 200-120 TRAINING
CCNA SECURITY 640-554 TRAINING
CCENT ICND1 TRAINING
CISCO ICND2 TRAINING
CISCO CCNP TRAINING