Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
464
Views
0
Helpful
7
Replies

about ASA firewall

Go to solution
Fahad Wasi
Level 1
Level 1

‎03-28-2014 01:35 AM - edited ‎03-11-2019 09:00 PM

 

 Hello everyone,

 I have a question about ASA firewall, is it true that in ASA firewall, their are 2 ways we can configure it?

 Either we use GUI mode to access the ASA firewall or CLI mode?

 Is the GUI application basically the ASDM that we download and install it on the firewall?

Thanks

 

 

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Fahad Wasi

‎04-10-2014 10:43 AM

Very little is set by default. A default configuration only has the management interface active with an IP address and DHCP server. Once you setup some basic interface addresses and give them names and security levels you will, by default, be allowed to pass traffic from higher security to lower security level interfaces. Some routing is helpful to make anything other than connected networks reachable.

There are hundreds of other things you can do. IDS/IPS, for instance is a separate and optional module on the ASA. Only if you have it installed and licensed can you then create a service-policy in the ASA (using cli or GUI) directing traffic to it.

Configuration of the IDS is technically possible from the cli but 99% of people use the GUI (ASDM or IME - IPS Manager Express) for that.

View solution in original post

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Fahad Wasi

‎05-06-2014 11:31 AM

As I mentioned above, "IDS/IPS, for instance is a separate and optional module on the ASA." It must be installed and licensed. There are several types for the ASA. On the older 5500 series as well as the newer 5500-X series, one can use the AIP-SSM, part of Cisco's older technology IPS. Its capabilities are covered in the data sheet.

The newer 5500-X series also have the option of running IPS services on the CX module as part of the Next Generation Firewall (NGFW) features (also included is the option to run Web Security Essentials and Application Visibility and Control). That product is further described here.

The NGFW features are going to give you the greatest protection going forward as that represents the latest platform and developments from Cisco.

For whichever path you choose, the product support page (linked from the product info pages I already noted above) for a given product has installation and configuration guides.

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Karsten Iwen
VIP
VIP

‎03-28-2014 04:52 AM

Yes, you are right. You can use either the CLI or the GUI which is the ASDM.

For the firewalling-part you can also do some config on the CLI and other config on the GUI, just as you want.

But for VPN, there are some parts in the config that can't be configured with the CLI, these have to be done in the GUI.

0 Helpful

Go to solution
Fahad Wasi
Level 1
Level 1
In response to Karsten Iwen

‎04-10-2014 09:36 AM

 

 Hello Karsten Iwen

Thanks for your reply so you mean that their are certain configurations that can only be done on CLI and GUI mode?

My other question is apart from configuring ACL on firewalls, what else can we do on it?
Do we also have to configure IPS /IDS on it or they are by default set?

Thanks

 

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Fahad Wasi

‎04-10-2014 10:43 AM

Very little is set by default. A default configuration only has the management interface active with an IP address and DHCP server. Once you setup some basic interface addresses and give them names and security levels you will, by default, be allowed to pass traffic from higher security to lower security level interfaces. Some routing is helpful to make anything other than connected networks reachable.

There are hundreds of other things you can do. IDS/IPS, for instance is a separate and optional module on the ASA. Only if you have it installed and licensed can you then create a service-policy in the ASA (using cli or GUI) directing traffic to it.

Configuration of the IDS is technically possible from the cli but 99% of people use the GUI (ASDM or IME - IPS Manager Express) for that.

0 Helpful

Go to solution
Fahad Wasi
Level 1
Level 1
In response to Marvin Rhoads

‎05-06-2014 03:31 AM

 

 Hello Sir,

Sorry for the delay, thanks for the reply, Sir, do you mean that by default the security settings on the ASA firewall is set the max(Highest) level?

How do we install IPS/IDS on ASA firewall?

 

Do these IPS/IDS protect the LAN from external threats eg. viruses,trogons and etc?

 

Regards,

 

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Fahad Wasi

‎05-06-2014 11:31 AM

As I mentioned above, "IDS/IPS, for instance is a separate and optional module on the ASA." It must be installed and licensed. There are several types for the ASA. On the older 5500 series as well as the newer 5500-X series, one can use the AIP-SSM, part of Cisco's older technology IPS. Its capabilities are covered in the data sheet.

The newer 5500-X series also have the option of running IPS services on the CX module as part of the Next Generation Firewall (NGFW) features (also included is the option to run Web Security Essentials and Application Visibility and Control). That product is further described here.

The NGFW features are going to give you the greatest protection going forward as that represents the latest platform and developments from Cisco.

For whichever path you choose, the product support page (linked from the product info pages I already noted above) for a given product has installation and configuration guides.

0 Helpful

Go to solution
johnlloyd_13
Level 9
Level 9

‎03-29-2014 07:36 PM

hi fahad,

karsten is right! you can only do certain things or configuration in ASDM (ASA GUI) versus CLI.

a perfect example is the clientless SSL VPN (webvpn) portal customization.

also to further add his answer, there's an option either to install the launcher permanently on your PC/NMS or run dynamically from ASA (from flash).

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to johnlloyd_13

‎05-06-2014 04:10 AM

Also, just to add, the XML files for the anyconnect profiles can only be customised via the ASDM.

--

Please remember to select a correct answer and rate

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card