cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1114
Views
0
Helpful
14
Replies

Required help on ASA basic setup and configuration

Goutam Biswas
Level 1
Level 1

Hi,

I am very very new to Security/Firewall domain, As I have gone through lot of documents and understood there must be one outside interface and atleast one or multiple inside interfaces depends on the requirement.  I have attached a high level design, it shows how ASAs tobe connected to Aggre/Dist. Switches and how DMZ are conneccted to ASA via L2 Switches.  Could any one help me on this how to configure and what are basic configuration required to eastablish the network and it works. I need two inside networks one is for dmz servers and another one is other servers to be advertise to outside DC.            

1 Accepted Solution

Accepted Solutions

Is this what you are looking for?

http://www.cisco.com/en/US/docs/solutions/Enterprise/Data_Center/DC_3_0/dc_sec_design.html

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

14 Replies 14

Mizanul Islam
Level 1
Level 1

Hi Goutam,

Few days ago i have configured same topology. But first required requirments then i help you. You mail me direct (parosh.islam@yahoo.com)

Here is the below link for configuration help.

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/asa_84_cli_config.html

Regards

Parosh

+8801755591722

Hi Parosh,

Thanks for your reply,  If you have configured same topology, could you please give me configuration sample for the same setup.

Which ASA model are you running and version?

A very basic configuration you could setup, just remember to change the interface numbers and IP addresses to the required values:

int gig0/1

security-level 100

nameif inside

ip add 192.168.1.1 255.255.255.0

no shut

int gig0/2

security-level 0

nameif outside

ip add 8.8.8.9 255.255.255.252

no shut

route outside 0 0 8.8.8.10

object network LAN-to-outside-NAT

subnet 192.168.1.0 255.255.255.0

nat (inside,outside) dynamic interface

http server enable

http 192.168.1.0 255.255.255.0 inside

crypto key generate rsa modulus 2048

ssh 192.168.1.0 255.255.255.0 inside

username USERNAME password PASSWORD

enable password PASSWORD

As I mentioned this is a very basic config that allows only traffic from the inside to the outside and nothing more. But you will have internet access at lease.  Also keep in mind that you should change the subnets for http and ssh to a dedicated management subnet.

Please refer to this guide for configuration guide.

http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/general/interface_start.html

If you need more assistance please let us know.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

Hi,

Thanks.

What I understood from your configaration.  ASA is located inline.  Is it right my understanding?  If so could you pls. give me sample config for ASAs are connected to Nk501 & 02 with high availability.

ASA model is 5584-X but not aware about software versin, it would be latest version.

When you say NK501 that it is a typo and that it should be N5K01 (for nexus 5000 switch 1?)

So if these are  nexus switches, and I assume you are looking for active/standby configuration on the ASA for HA.  Your configuration would be something like the following if you want full redundancy.

---------------------------

N5K01

feature vpc

vpc domain 1

  role priority 1000

  system-priority 1

  peer-keepalive destination 169.254.111.1 source 169.254.111.2 vrf default

  auto-recovery

interface Ethernet1/19

  description ASA01

  switchport mode trunk

  channel-group 2 mode active

interface Ethernet1/21

  description ASA01

  switchport mode trunk

  channel-group 2 mode active

interface Ethernet1/22

  description vpc-keepalive

  no switchport

  ip address 169.254.111.1/16

  no shutdown

interface Ethernet1/23

  description vpc-peerlink

  channel-group 1

  no shutdown

interface Ethernet1/24

  description vpc-peerlink

  channel-group 1

  no shutdown

interface port-channel1

  description vpc-peerlink

  vpc peer-link

interface port-channel2

  description ASA

  switchport mode trunk

  vpc 1

------------------------------------------

N5K02

feature vpc

vpc domain 1

  role priority 65535

  system-priority 1

  peer-keepalive destination 169.254.111.2 source 169.254.111.1 vrf default

  auto-recovery

interface Ethernet1/19

  description ASA02

  switchport mode trunk

  channel-group 2 mode active

interface Ethernet1/21

  description ASA02

  switchport mode trunk

  channel-group 2 mode active

interface Ethernet1/22

  description vpc-keepalive

  no switchport

  ip address 169.254.111.2/16

  no shutdown

interface Ethernet1/23

  description vpc-peerlink

  channel-group 1

  no shutdown

interface Ethernet1/24

  description vpc-peerlink

  channel-group 1

  no shutdown

interface port-channel1

  description vpc-peerlink

  vpc peer-link

interface port-channel2

  description ASA

  switchport mode trunk

  vpc 1

----------------------------------------------

ASA01

interface TenGigabitEthernet0/6

description N5K01

channel-group 2 mode active

interface TenGigabitEthernet0/7

description N5K01

channel-group 2 mode active

interface TenGigabitEthernet0/8

description Failover

channel-group 3

interface TenGigabitEthernet0/9

description Failover

channel-group 3

interface Port-channel2

description N5K01

nameif NAME

security-level 60

ip address 10.10.10.1 255.255.255.240 standby 10.10.10.2

interface Port-channel3

description Failover link

interface Port-channel3.10

description State link

vlan 10

interface Port-channel3.20

description STATE Failover Interface

vlan 20

failover

failover lan unit primary

failover lan interface Failover_Link Port-channel3.10

failover key PASSWORD

failover replication http

failover link Stateful_Failover_Link Port-channel3.20

failover interface ip Failover_Link 10.8.4.145 255.255.255.240 standby 10.8.4.146

failover interface ip Stateful_Failover_Link 10.8.4.161 255.255.255.240 standby 10.8.4.162

----------------------------

ASA02

interface TenGigabitEthernet0/6

description N5K01

channel-group 2 mode active

interface TenGigabitEthernet0/7

description N5K01

channel-group 2 mode active

interface TenGigabitEthernet0/8

description Failover

channel-group 3

interface TenGigabitEthernet0/9

description Failover

channel-group 3

interface Port-channel2

description N5K01

nameif NAME

security-level 60

ip address 10.10.10.1 255.255.255.240 standby 10.10.10.2

interface Port-channel3

description STATE Failover Interface

interface Port-channel3.10

description Failover link

vlan 10

interface Port-channel3.20

description State link

vlan 20

failover

failover lan unit primary

failover lan interface Failover_Link Port-channel3.10

failover key PASSWORD

failover replication http

failover link Stateful_Failover_Link Port-channel3.20

failover interface ip Failover_Link 10.8.4.145 255.255.255.240 standby 10.8.4.146

failover interface ip Stateful_Failover_Link 10.8.4.161 255.255.255.240 standby 10.8.4.162

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

Just noticed that I forgot to include the DMZ interfaces on the ASAs.  But I am sure that you can figure that out by looking at the other interface configuration that I provided.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

Hi,

Thanks,

can you tell me which interface would work for outside.  As per my understanding according to your config sample.  port-channel2 is configured between ASA and nk5-1 and 2 will be used for outside and the same port channel 2 is used for inside also with security level 60.  is that mean I need to sub interface that port channel like.

port-channel2.30 is mapped with vlan 30 used for outside security level 0

port-channel2.40 is mapped with vlan 40 used for inside security level 60

port-channel2.50 is mapped with vlan 50 used for inside security level 90

and as per your configure ASA-01 is connecting to n5k-01 and ASA-02 is connecting to n5k-02 no crosss connect between ASA and nk5 (will it be good for redundancy purpose or this is design restriction)

If you have several VLANs that need to go through the firewall then yes you need to configure the portchannel 2 as subinterface

I did not include any configuration for the inside network as I thought it would be quite self explanitory by following the example for the interfaces going towards NK501 - 2.

ASA-01 is only connected to n5k-01 and ASA-02 is only connected to n5k-02 as per your network diagram.  Yes you could cable them redundant between the n5k switches if you wanted to do that.  I was just following your diagram.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

Hi

Thanks,  I will check and let you know if everything works fine.  Thanks again for your help.  Another help if possible.

Do you have any documents on ASA, where it shows diagram based configuration according to Data Center Design, it would help me to understand better and corelate with my setup.

I mean different design diagram and configuration deployment solution in today's Data Center.

Is this what you are looking for?

http://www.cisco.com/en/US/docs/solutions/Enterprise/Data_Center/DC_3_0/dc_sec_design.html

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

Hi,

I am looking for basic design and configuration, this is very high level of design and configuration, which is little bit difficult to understand to me as freshers in Security.

Normally design documents do not have any configuration in them.  But had a look around and found this...hope it is what you are looking for.

http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns824/sbaDC_cGuide.pdf

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

I have this one thanks

Then the only other thing that might be what you want is a configuration guide. and not a design guide.

http://www.cisco.com/en/US/docs/switches/datacenter/nexus5000/sw/configuration/guide/cli/Nexus5000-NX-OS-ConfigurationGuide.pdf

Let me know if this is closer

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: