New ASA 5510

Unanswered Question
Sep 16th, 2008
User Badges:

Hello I just unboxed my new ASA 5510. I have the task to configure this and install onto my network. Currently we are running a watchguard firewall x700. I will be replacing this with the ASA.

I will be swaping this out and putting the new asa in. Knowing this I need to set up and preconfigure the ASA like I have my firewall currently in production. This will be my first setup on an ASA.

Configuring and setting up for security I can use some guidance on. I have all the policies/configuration from the watchguard box.

If someone can help with setup/configuration and best way to handle the swap i would appreciate input.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
singhsaju Tue, 09/16/2008 - 17:16
User Badges:
  • Silver, 250 points or more

Hi John,

You can setup ASA in 5 steps:

Step1 : Name the interface

interface Ethernet0

nameif outside

interface Ethernet1

nameif inside

Step 2: Define security levels to interfaces

interface Ethernet0

security-level 0

interface Ethernet1

security-level 100

Step 3: Provide ip addresses to the interfaces:

interface Ethernet0

ip address

interface Ethernet1

ip address

Step 4:Enable NAT/Global to allow the traffic to go outside from inside.



nat (inside) 1

global(outside)1 outside

Step 5: Define a Route

route (outside)

To allow access to the host/network in the inside zone :

you will have to define a Static NAT and permit in access-list that is bound to outside interface . For example :

static (inside,outside) netmask

access-list smtp extended permit tcp any host eq smtp

access-group smtp in interface outside



Please rate if it helps

johncomeau Tue, 09/16/2008 - 17:41
User Badges:


Thanks for your response. I have access-list on the router on the core network. Will i have to configure access-list on the ASA also?

At the moment i have an external and internal interfaces on the watchguard firewall. I have about 10 static routes for communications with a couple of remote offices over a mpls circuit and some vlans. I have 10 policies configured for external OWA, SSL, Sharepoint, ping, etc. I guess i need to configure all of that on this new ASA. Have any recommendations on this?

So if i go with steps 1 name the interfaces, step2 assign security-levels to the interfaces. What I read is that the WAN should be set to 0 and inside LAN should be set to 100, what are those numbers mean?

Step 3 my wan ethernet 0 will be the external IP that's on my firewall and ethernet 1 will be the internal private IP that's on the firewall. step 4 enable NAT and step 5 define a route.

I will also need to add all of those static routes also.

Once again thanks for your input.

amohabir1 Thu, 09/18/2008 - 10:54
User Badges:

0 and 100 define the security level for the interface. The higher the number, the more trusted it is, thus the reason you would use the interface with a security level of 100 to be your inside interface.

Yes whatever you have setup on your current firewall you will have to add to the asa.

So routes and access-list

you can set up a default route that looks like

route outside

and use this as a template to create the rest of your routes.

For example if you access-list is permitting http, https, and ftp you would create an access-list that looks something like this,

access-list acl_in permit ip any any eq 80

access-list acl_in permit ip any any eq 443

access-list acl_in permit ip any any eq ftp


There is an implcit deny all but it is good practice to define your

access-list acl_in deny ip any any.

THis will be at the very end of your config.

After you create the access-list you will need to bind it to the interface that you sre creating it for. So with the one i just created you would bind it to the inside interface.

access-group acl_in in interface inside (or whatever the nameif name you choose is)


This Discussion