×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Required help on ASA basic setup and configuration

Answered Question
Feb 7th, 2014
User Badges:

Hi,


I am very very new to Security/Firewall domain, As I have gone through lot of documents and understood there must be one outside interface and atleast one or multiple inside interfaces depends on the requirement.  I have attached a high level design, it shows how ASAs tobe connected to Aggre/Dist. Switches and how DMZ are conneccted to ASA via L2 Switches.  Could any one help me on this how to configure and what are basic configuration required to eastablish the network and it works. I need two inside networks one is for dmz servers and another one is other servers to be advertise to outside DC.            

Correct Answer by Marius Gunnerud about 3 years 6 months ago

Is this what you are looking for?


http://www.cisco.com/en/US/docs/solutions/Enterprise/Data_Center/DC_3_0/dc_sec_design.html



--
Please remember to rate and select a correct answer

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Goutam Biswas Sun, 02/09/2014 - 22:09
User Badges:

Hi Parosh,


Thanks for your reply,  If you have configured same topology, could you please give me configuration sample for the same setup.

Marius Gunnerud Fri, 02/07/2014 - 11:44
User Badges:
  • Red, 2250 points or more
  • Cisco Designated VIP,

    2017 Firewalling

Which ASA model are you running and version?


A very basic configuration you could setup, just remember to change the interface numbers and IP addresses to the required values:


int gig0/1

security-level 100

nameif inside

ip add 192.168.1.1 255.255.255.0

no shut


int gig0/2

security-level 0

nameif outside

ip add 8.8.8.9 255.255.255.252

no shut


route outside 0 0 8.8.8.10


object network LAN-to-outside-NAT

subnet 192.168.1.0 255.255.255.0

nat (inside,outside) dynamic interface


http server enable

http 192.168.1.0 255.255.255.0 inside


crypto key generate rsa modulus 2048

ssh 192.168.1.0 255.255.255.0 inside


username USERNAME password PASSWORD

enable password PASSWORD


As I mentioned this is a very basic config that allows only traffic from the inside to the outside and nothing more. But you will have internet access at lease.  Also keep in mind that you should change the subnets for http and ssh to a dedicated management subnet.


Please refer to this guide for configuration guide.

http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/general/interface_start.html


If you need more assistance please let us know.


--
Please remember to rate and select a correct answer

Goutam Biswas Sun, 02/09/2014 - 22:12
User Badges:

Hi,


Thanks.


What I understood from your configaration.  ASA is located inline.  Is it right my understanding?  If so could you pls. give me sample config for ASAs are connected to Nk501 & 02 with high availability.


ASA model is 5584-X but not aware about software versin, it would be latest version.

Marius Gunnerud Mon, 02/10/2014 - 00:32
User Badges:
  • Red, 2250 points or more
  • Cisco Designated VIP,

    2017 Firewalling

When you say NK501 that it is a typo and that it should be N5K01 (for nexus 5000 switch 1?)


So if these are  nexus switches, and I assume you are looking for active/standby configuration on the ASA for HA.  Your configuration would be something like the following if you want full redundancy.


---------------------------

N5K01

feature vpc


vpc domain 1

  role priority 1000

  system-priority 1

  peer-keepalive destination 169.254.111.1 source 169.254.111.2 vrf default

  auto-recovery


interface Ethernet1/19

  description ASA01

  switchport mode trunk

  channel-group 2 mode active


interface Ethernet1/21

  description ASA01

  switchport mode trunk

  channel-group 2 mode active


interface Ethernet1/22

  description vpc-keepalive

  no switchport

  ip address 169.254.111.1/16

  no shutdown


interface Ethernet1/23

  description vpc-peerlink

  channel-group 1

  no shutdown


interface Ethernet1/24

  description vpc-peerlink

  channel-group 1

  no shutdown


interface port-channel1

  description vpc-peerlink

  vpc peer-link


interface port-channel2

  description ASA

  switchport mode trunk

  vpc 1


------------------------------------------


N5K02


feature vpc


vpc domain 1

  role priority 65535

  system-priority 1

  peer-keepalive destination 169.254.111.2 source 169.254.111.1 vrf default

  auto-recovery


interface Ethernet1/19

  description ASA02

  switchport mode trunk

  channel-group 2 mode active


interface Ethernet1/21

  description ASA02

  switchport mode trunk

  channel-group 2 mode active


interface Ethernet1/22

  description vpc-keepalive

  no switchport

  ip address 169.254.111.2/16

  no shutdown


interface Ethernet1/23

  description vpc-peerlink

  channel-group 1

  no shutdown


interface Ethernet1/24

  description vpc-peerlink

  channel-group 1

  no shutdown


interface port-channel1

  description vpc-peerlink

  vpc peer-link


interface port-channel2

  description ASA

  switchport mode trunk

  vpc 1


----------------------------------------------


ASA01


interface TenGigabitEthernet0/6

description N5K01

channel-group 2 mode active


interface TenGigabitEthernet0/7

description N5K01

channel-group 2 mode active


interface TenGigabitEthernet0/8

description Failover

channel-group 3


interface TenGigabitEthernet0/9

description Failover

channel-group 3


interface Port-channel2

description N5K01

nameif NAME

security-level 60

ip address 10.10.10.1 255.255.255.240 standby 10.10.10.2


interface Port-channel3

description Failover link


interface Port-channel3.10

description State link

vlan 10


interface Port-channel3.20

description STATE Failover Interface

vlan 20


failover

failover lan unit primary

failover lan interface Failover_Link Port-channel3.10

failover key PASSWORD

failover replication http

failover link Stateful_Failover_Link Port-channel3.20

failover interface ip Failover_Link 10.8.4.145 255.255.255.240 standby 10.8.4.146

failover interface ip Stateful_Failover_Link 10.8.4.161 255.255.255.240 standby 10.8.4.162


----------------------------


ASA02


interface TenGigabitEthernet0/6

description N5K01

channel-group 2 mode active


interface TenGigabitEthernet0/7

description N5K01

channel-group 2 mode active


interface TenGigabitEthernet0/8

description Failover

channel-group 3


interface TenGigabitEthernet0/9

description Failover

channel-group 3


interface Port-channel2

description N5K01

nameif NAME

security-level 60

ip address 10.10.10.1 255.255.255.240 standby 10.10.10.2


interface Port-channel3

description STATE Failover Interface


interface Port-channel3.10

description Failover link

vlan 10


interface Port-channel3.20

description State link

vlan 20


failover

failover lan unit primary

failover lan interface Failover_Link Port-channel3.10

failover key PASSWORD

failover replication http

failover link Stateful_Failover_Link Port-channel3.20

failover interface ip Failover_Link 10.8.4.145 255.255.255.240 standby 10.8.4.146

failover interface ip Stateful_Failover_Link 10.8.4.161 255.255.255.240 standby 10.8.4.162



--
Please remember to rate and select a correct answer

Marius Gunnerud Mon, 02/10/2014 - 00:34
User Badges:
  • Red, 2250 points or more
  • Cisco Designated VIP,

    2017 Firewalling

Just noticed that I forgot to include the DMZ interfaces on the ASAs.  But I am sure that you can figure that out by looking at the other interface configuration that I provided.


--
Please remember to rate and select a correct answer

Goutam Biswas Mon, 02/10/2014 - 01:29
User Badges:

Hi,


Thanks,


can you tell me which interface would work for outside.  As per my understanding according to your config sample.  port-channel2 is configured between ASA and nk5-1 and 2 will be used for outside and the same port channel 2 is used for inside also with security level 60.  is that mean I need to sub interface that port channel like.


port-channel2.30 is mapped with vlan 30 used for outside security level 0

port-channel2.40 is mapped with vlan 40 used for inside security level 60

port-channel2.50 is mapped with vlan 50 used for inside security level 90


and as per your configure ASA-01 is connecting to n5k-01 and ASA-02 is connecting to n5k-02 no crosss connect between ASA and nk5 (will it be good for redundancy purpose or this is design restriction)

Marius Gunnerud Mon, 02/10/2014 - 03:09
User Badges:
  • Red, 2250 points or more
  • Cisco Designated VIP,

    2017 Firewalling

If you have several VLANs that need to go through the firewall then yes you need to configure the portchannel 2 as subinterface


I did not include any configuration for the inside network as I thought it would be quite self explanitory by following the example for the interfaces going towards NK501 - 2.


ASA-01 is only connected to n5k-01 and ASA-02 is only connected to n5k-02 as per your network diagram.  Yes you could cable them redundant between the n5k switches if you wanted to do that.  I was just following your diagram.



--
Please remember to rate and select a correct answer

Goutam Biswas Mon, 02/10/2014 - 03:14
User Badges:

Hi


Thanks,  I will check and let you know if everything works fine.  Thanks again for your help.  Another help if possible.


Do you have any documents on ASA, where it shows diagram based configuration according to Data Center Design, it would help me to understand better and corelate with my setup.


I mean different design diagram and configuration deployment solution in today's Data Center.

Goutam Biswas Tue, 02/11/2014 - 01:51
User Badges:

Hi,


I am looking for basic design and configuration, this is very high level of design and configuration, which is little bit difficult to understand to me as freshers in Security.

Marius Gunnerud Tue, 02/11/2014 - 02:49
User Badges:
  • Red, 2250 points or more
  • Cisco Designated VIP,

    2017 Firewalling

Then the only other thing that might be what you want is a configuration guide. and not a design guide.

http://www.cisco.com/en/US/docs/switches/datacenter/nexus5000/sw/configuration/guide/cli/Nexus5000-NX-OS-ConfigurationGuide.pdf


Let me know if this is closer



--
Please remember to rate and select a correct answer

Actions

This Discussion