![]() He holds multiple certifications on Microsoft, Cisco, and Linux products. He is a veteran IT guy with over 35 years’ experience in technology for the workplace. The Accidental Administrator: Cisco ASA Security Appliance: A Step-by-Step Configuration Guide and President of a Seattle, Washington-based IT training firm. hostname to identify the firewall, telnet or SSH to allow remote administration, DHCPD commands to allow the firewall to assign IP addresses to inside hosts, and static route and access-list commands to allow internal hosts such as DMZ Web servers or DMZ mail servers to be accessible to Internet hosts.Ĭiscoasa(config-if)# interface ethernet 0/0Ĭiscoasa(config-if)# switchport access vlan 2Ĭiscoasa(config-if)# interface ethernet 0/1Ĭiscoasa(config-if)# switchport access vlan 1Ĭiscoasa(config-if)# ip address 192.168.1.1Ĭiscoasa(config-if)# route outside 0 0 12.3.4.6Ĭiscoasa(config-if)#object network obj_anyĬiscoasa(config-network-object)#subnet 0.0.0.0 0.0.0.0Ĭiscoasa(config)#nat (inside,outside) dynamic interfaceĮxcerpted from The Accidental Administrator: Cisco ASA Security Appliance: A Step-by-Step Configuration Guide by Don R. The above commands create a very basic firewall, however, using a sophisticated device such as a Cisco PIX or ASA security appliance to perform such basic firewall functions is overkill. The two zeroes before the ISP’s router address are shorthand for an IP address of 0.0.0.0 and a mask of 0.0.0.0. In this sample configuration, the route command is used to configure a default route to the ISP’s router at 12.3.4.6. outside identifies the interface through which traffic will flow to reach the default route. It can also be used in conjunction with access-lists to send specific types of traffic to specific hosts on specific subnets. The route command, in its most basic form, assigns a default route for traffic, typically to an ISP’s router. The nat statement, as shown below, tells the firewall to allow all traffic flowing from the inside to the outside interface to use whatever address is dynamically (DHCP) configured on the outside interface. The subnet 0.0.0.0 0.0.0.0 command states that obj_any will affect any IP address not configured on any other object. (You do not have to name the object “obj_any” that is a descriptive name, but you could just as easily name it “Juan”.) The network option states that this particular object will be based on IP addresses. The object network obj_any statement creates an object called “obj_any”. interface ethernet 0/0 switchport access vlan 2 no shutdown interface ethernet 0/1 switchport access vlan 1 no shutdownĬiscoasa(config-if)# object network obj_any This command is not used on the ASA 55x0 appliances. In the next example, the interface command is used to identify physical interfaces, assign them to switchports on the appliance, and enable them (turn them on). The switchport access command on the ASA 5505 security appliance assigns a physical interface to a logical (VLAN) interface. In the following sample configuration, an IP address is assigned to VLAN 1, the inside interface. If you are using non-standard masks, you must explicitly configure the mask, otherwise, it is not necessary. With modern versions of security appliance software, it is not necessary to explicitly configure default subnet masks. The ip address command assigns an IP address to a VLAN interface either statically or by making it a DHCP client. INFO: Security level for "outside" set to 0 by default. INFO: Security level for "inside" set to 100 by default. Once in interface configuration mode, you can assign physical interfaces to switchports and enable them (turn them on) or you can assign names and security levels to VLAN interfaces. The interface command identifies either the hardware interface or the Switch Virtual Interface (VLAN interface) that will be configured. To enable basic functionality, there are eight basic commands (these commands are based on software version 8.3(1) or greater): Additionally, management must be allowed from at least one inside host. Basic functionality is defined as allowing inside hosts to access outside hosts, but not allowing outside hosts to access the inside hosts. Initially, however, there are just a few commands required to configure basic functionality on the appliance. As you gain knowledge of the appliance, you will use more and more of the commands. There are literally thousands of commands and sub-commands available to configure a Cisco security appliance. It is an excerpt from his latest: The Accidental Administrator: Cisco ASA Security Appliance: A Step-by-Step Configuration Guide Here's a guest post sent to me by Don Crawley, author of The Accidental Administrator book series.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |