Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

about ASA firewall

 

 Hello everyone,

 I have a question about ASA firewall, is it true that in ASA firewall, their are 2 ways we can configure it?

 Either we use GUI mode to access the ASA firewall or CLI mode?

 Is the GUI application basically the ASDM that we download and install it on the firewall?

Thanks

 

 

2 ACCEPTED SOLUTIONS

Accepted Solutions
Hall of Fame Super Silver

Very little is set by default

Very little is set by default. A default configuration only has the management interface active with an IP address and DHCP server. Once you setup some basic interface addresses and give them names and security levels you will, by default, be allowed to pass traffic from higher security to lower security level interfaces. Some routing is helpful to make anything other than connected networks reachable.

There are hundreds of other things you can do. IDS/IPS, for instance is a separate and optional module on the ASA. Only if you have it installed and licensed can you then create a service-policy in the ASA (using cli or GUI) directing traffic to it.

Configuration of the IDS is technically possible from the cli but 99% of people use the GUI (ASDM or IME - IPS Manager Express) for that.

Hall of Fame Super Silver

As I mentioned above, "IDS

As I mentioned above, "IDS/IPS, for instance is a separate and optional module on the ASA." It must be installed and licensed. There are several types for the ASA. On the older 5500 series as well as the newer 5500-X series, one can use the AIP-SSM, part of Cisco's older technology IPS. Its capabilities are covered in the data sheet.

The newer 5500-X series also have the option of running IPS services on the CX module as part of the Next Generation Firewall (NGFW) features (also included is the option to run Web Security Essentials and Application Visibility and Control). That product is further described here.

The NGFW features are going to give you the greatest protection going forward as that represents the latest platform and developments from Cisco.

For whichever path you choose, the product support page (linked from the product info pages I already noted above) for a given product has installation and configuration guides.

7 REPLIES
VIP Purple

Yes, you are right. You can

Yes, you are right. You can use either the CLI or the GUI which is the ASDM.

For the firewalling-part you can also do some config on the CLI and other config on the GUI, just as you want.

But for VPN, there are some parts in the config that can't be configured with the CLI, these have to be done in the GUI.

New Member

  Hello Karsten IwenThanks

 

 Hello Karsten Iwen

Thanks for your reply so you mean that their are certain configurations that can only be done on CLI and GUI mode?

My other question is apart from configuring ACL on firewalls, what else can we do on it?
Do we also have to configure IPS /IDS on it or they are by default set?

Thanks

 

Hall of Fame Super Silver

Very little is set by default

Very little is set by default. A default configuration only has the management interface active with an IP address and DHCP server. Once you setup some basic interface addresses and give them names and security levels you will, by default, be allowed to pass traffic from higher security to lower security level interfaces. Some routing is helpful to make anything other than connected networks reachable.

There are hundreds of other things you can do. IDS/IPS, for instance is a separate and optional module on the ASA. Only if you have it installed and licensed can you then create a service-policy in the ASA (using cli or GUI) directing traffic to it.

Configuration of the IDS is technically possible from the cli but 99% of people use the GUI (ASDM or IME - IPS Manager Express) for that.

New Member

  Hello Sir,Sorry for the

 

 Hello Sir,

Sorry for the delay, thanks for the reply, Sir, do you mean that by default the security settings on the ASA firewall is set the max(Highest) level?

How do we install IPS/IDS on ASA firewall?

 

Do these IPS/IDS protect the LAN from external threats eg. viruses,trogons and etc?

 

Regards,

 

Hall of Fame Super Silver

As I mentioned above, "IDS

As I mentioned above, "IDS/IPS, for instance is a separate and optional module on the ASA." It must be installed and licensed. There are several types for the ASA. On the older 5500 series as well as the newer 5500-X series, one can use the AIP-SSM, part of Cisco's older technology IPS. Its capabilities are covered in the data sheet.

The newer 5500-X series also have the option of running IPS services on the CX module as part of the Next Generation Firewall (NGFW) features (also included is the option to run Web Security Essentials and Application Visibility and Control). That product is further described here.

The NGFW features are going to give you the greatest protection going forward as that represents the latest platform and developments from Cisco.

For whichever path you choose, the product support page (linked from the product info pages I already noted above) for a given product has installation and configuration guides.

hi fahad,karsten is right!

hi fahad,

karsten is right! you can only do certain things or configuration in ASDM (ASA GUI) versus CLI.

a perfect example is the clientless SSL VPN (webvpn) portal customization.

also to further add his answer, there's an option either to install the launcher permanently on your PC/NMS or run dynamically from ASA (from flash).

VIP Green

Also, just to add, the XML

Also, just to add, the XML files for the anyconnect profiles can only be customised via the ASDM.

--

Please remember to select a correct answer and rate

--

Please remember to rate and select a correct answer
105
Views
0
Helpful
7
Replies
CreatePlease to create content