New ASA 5510

johncomeau · ‎09-16-2008

Hello I just unboxed my new ASA 5510. I have the task to configure this and install onto my network. Currently we are running a watchguard firewall x700. I will be replacing this with the ASA.

I will be swaping this out and putting the new asa in. Knowing this I need to set up and preconfigure the ASA like I have my firewall currently in production. This will be my first setup on an ASA.

Configuring and setting up for security I can use some guidance on. I have all the policies/configuration from the watchguard box.

If someone can help with setup/configuration and best way to handle the swap i would appreciate input.

singhsaju · ‎09-16-2008

Hi John,

You can setup ASA in 5 steps:

Step1 : Name the interface

interface Ethernet0

nameif outside

interface Ethernet1

nameif inside

Step 2: Define security levels to interfaces

interface Ethernet0

security-level 0

interface Ethernet1

security-level 100

Step 3: Provide ip addresses to the interfaces:

interface Ethernet0

ip address 20.20.20.17 255.255.255.248

interface Ethernet1

ip address 192.168.2.1 255.255.255.0

Step 4:Enable NAT/Global to allow the traffic to go outside from inside.

nat(inside)1 192.168.2.0 255.255.255.0

or

nat (inside) 1 0.0.0.0 0.0.0.0

global(outside)1 outside

Step 5: Define a Route

route (outside) 0.0.0.0 0.0.0.0

To allow access to the host/network in the inside zone :

you will have to define a Static NAT and permit in access-list that is bound to outside interface . For example :

static (inside,outside) 209.164.3.5 192.168.2.57 netmask 255.255.255.255

access-list smtp extended permit tcp any host 209.164.3.5 eq smtp

access-group smtp in interface outside

HTH

Saju

Please rate if it helps

johncomeau · ‎09-16-2008

Saju,

Thanks for your response. I have access-list on the router on the core network. Will i have to configure access-list on the ASA also?

At the moment i have an external and internal interfaces on the watchguard firewall. I have about 10 static routes for communications with a couple of remote offices over a mpls circuit and some vlans. I have 10 policies configured for external OWA, SSL, Sharepoint, ping, etc. I guess i need to configure all of that on this new ASA. Have any recommendations on this?

So if i go with steps 1 name the interfaces, step2 assign security-levels to the interfaces. What I read is that the WAN should be set to 0 and inside LAN should be set to 100, what are those numbers mean?

Step 3 my wan ethernet 0 will be the external IP that's on my firewall and ethernet 1 will be the internal private IP that's on the firewall. step 4 enable NAT and step 5 define a route.

I will also need to add all of those static routes also.

Once again thanks for your input.

amohabir1 · ‎09-18-2008

0 and 100 define the security level for the interface. The higher the number, the more trusted it is, thus the reason you would use the interface with a security level of 100 to be your inside interface.

Yes whatever you have setup on your current firewall you will have to add to the asa.

So routes and access-list

you can set up a default route that looks like

route outside 0.0.0.0 0.0.0.0 1.2.3.4

and use this as a template to create the rest of your routes.

For example if you access-list is permitting http, https, and ftp you would create an access-list that looks something like this,

access-list acl_in permit ip any any eq 80

access-list acl_in permit ip any any eq 443

access-list acl_in permit ip any any eq ftp

.

There is an implcit deny all but it is good practice to define your own..so

access-list acl_in deny ip any any.

THis will be at the very end of your config.

After you create the access-list you will need to bind it to the interface that you sre creating it for. So with the one i just created you would bind it to the inside interface.

access-group acl_in in interface inside (or whatever the nameif name you choose is)