Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

New ASA 5510

Hello I just unboxed my new ASA 5510. I have the task to configure this and install onto my network. Currently we are running a watchguard firewall x700. I will be replacing this with the ASA.

I will be swaping this out and putting the new asa in. Knowing this I need to set up and preconfigure the ASA like I have my firewall currently in production. This will be my first setup on an ASA.

Configuring and setting up for security I can use some guidance on. I have all the policies/configuration from the watchguard box.

If someone can help with setup/configuration and best way to handle the swap i would appreciate input.

3 REPLIES
Silver

Re: New ASA 5510

Hi John,

You can setup ASA in 5 steps:

Step1 : Name the interface

interface Ethernet0

nameif outside

interface Ethernet1

nameif inside

Step 2: Define security levels to interfaces

interface Ethernet0

security-level 0

interface Ethernet1

security-level 100

Step 3: Provide ip addresses to the interfaces:

interface Ethernet0

ip address 20.20.20.17 255.255.255.248

interface Ethernet1

ip address 192.168.2.1 255.255.255.0

Step 4:Enable NAT/Global to allow the traffic to go outside from inside.

nat(inside)1 192.168.2.0 255.255.255.0

or

nat (inside) 1 0.0.0.0 0.0.0.0

global(outside)1 outside

Step 5: Define a Route

route (outside) 0.0.0.0 0.0.0.0

To allow access to the host/network in the inside zone :

you will have to define a Static NAT and permit in access-list that is bound to outside interface . For example :

static (inside,outside) 209.164.3.5 192.168.2.57 netmask 255.255.255.255

access-list smtp extended permit tcp any host 209.164.3.5 eq smtp

access-group smtp in interface outside

HTH

Saju

Please rate if it helps

New Member

Re: New ASA 5510

Saju,

Thanks for your response. I have access-list on the router on the core network. Will i have to configure access-list on the ASA also?

At the moment i have an external and internal interfaces on the watchguard firewall. I have about 10 static routes for communications with a couple of remote offices over a mpls circuit and some vlans. I have 10 policies configured for external OWA, SSL, Sharepoint, ping, etc. I guess i need to configure all of that on this new ASA. Have any recommendations on this?

So if i go with steps 1 name the interfaces, step2 assign security-levels to the interfaces. What I read is that the WAN should be set to 0 and inside LAN should be set to 100, what are those numbers mean?

Step 3 my wan ethernet 0 will be the external IP that's on my firewall and ethernet 1 will be the internal private IP that's on the firewall. step 4 enable NAT and step 5 define a route.

I will also need to add all of those static routes also.

Once again thanks for your input.

New Member

Re: New ASA 5510

0 and 100 define the security level for the interface. The higher the number, the more trusted it is, thus the reason you would use the interface with a security level of 100 to be your inside interface.

Yes whatever you have setup on your current firewall you will have to add to the asa.

So routes and access-list

you can set up a default route that looks like

route outside 0.0.0.0 0.0.0.0 1.2.3.4

and use this as a template to create the rest of your routes.

For example if you access-list is permitting http, https, and ftp you would create an access-list that looks something like this,

access-list acl_in permit ip any any eq 80

access-list acl_in permit ip any any eq 443

access-list acl_in permit ip any any eq ftp

.

There is an implcit deny all but it is good practice to define your own..so

access-list acl_in deny ip any any.

THis will be at the very end of your config.

After you create the access-list you will need to bind it to the interface that you sre creating it for. So with the one i just created you would bind it to the inside interface.

access-group acl_in in interface inside (or whatever the nameif name you choose is)

129
Views
0
Helpful
3
Replies