Hello and welcome to the tutorial on building up the Cisco ASA step by step.
Today we are heading towards the first tutorial where we will build our Cisco ASA from scratch.
We will configure the ASA with basic requirements and will get its interfaces up and running and also troubleshoot the most probable issues faced while doing the same.
Agenda:
# Setting up the privilege mode password.
# Naming the appliance
# Configuring the interfaces
Topology
Requirement 1.
Privilege mode password:
Cisco ASA appliance comes with no privilege mode password. We are prompt for password but we can just enter the mode without any.
Set the privilege mode password as “secret@123” to restrict any one to get access in.
Configuration:
ciscoasa> enable
(To get in the privilege mode)
(To get in the privilege mode)
ciscoasa# configuration terminal
(To get in the global config mode)
(To get in the global config mode)
ciscoasa(config)#enable password Secret@123
(Enables the privilege mode password as Secret@123)
(Enables the privilege mode password as Secret@123)
ciscoasa(config)#exit
(To exit the mode)
(To exit the mode)
ciscoasa#wr
(To save the config)
(To save the config)
ciscoasa#exit
ciscoasa>
Now we will try to enter the privilege mode without the password as we did before.
ciscoasa> enable (To get in the privilege mode)
We are not allowed to make in the privilege mode as we are not specifying the password which has been configured earlier.
Now lets try with the password.
ciscoasa> enable
Password: **********
And we are now allowed to make in the privilege mode.
Now let's move towards next requirement.
Requirement 2.
Naming the device:
Cisco ASA appliance comes with default host name as ciscoasa.
Change the hostname to “Mountain”.
Our this requirement ask us to change the host name to "Mountain".
Let's configure:
Ciscoasa>enable
Password: ********
ciscoasa#configure terminal
ciscoasa(config)#hostname Mountain
(To specify host name is Mountain)
(To specify host name is Mountain)
As we executive the command the hostname changes immediately.
Now let's move towards the last requirement for this tutorial.
Requirement 3:
Interface configuration:
Default interface status on Cisco ASA appliance is down.
Configure the cisco ASA interfaces as below
Interface gigabitEthernet 1
Ip address 192.168.1.1/24
Name it Inside
Security level 100
Default interface status on Cisco ASA appliance is down.
Configure the cisco ASA interfaces as below
Interface gigabitEthernet 1
Ip address 192.168.1.1/24
Name it Inside
Security level 100
Let's configure
Mountain>enable
Password: ********
Mountain#configure terminal
Mountain (config)#interface gi 1
(To enter the interface config mode)
(To enter the interface config mode)
Mountain (config-if)#ip address 192.168.1.1 255.255.255.0
(Specifying the IP address and netmask)
(Specifying the IP address and netmask)
Mountain (config-if)#no shut
(Enabling the interface)
(Enabling the interface)
As per our L3 switches and routers this is the minimum config required to enable a interface. But in ASA this doesn't works.
The proof is as below.
The interface is up but the ip address is still missing and which mean the interface is not yet in working state.
Naming the interface is very important in ASA.
Now the question arises on security level. Is it important ?
Yes, it is also the important factor in interface configuration but as per the default Cisco design, security level of 100 is given to the interface, when we configure the interface with name as Inside and 0 to all other Interfaces.
Now the question arises on security level. Is it important ?
Yes, it is also the important factor in interface configuration but as per the default Cisco design, security level of 100 is given to the interface, when we configure the interface with name as Inside and 0 to all other Interfaces.
So if we fail to configure it, the default 100 or 0 will be assigned but if we want to define our own levels, then we have to do that manually.
Mountain (config-if)#nameif Inside
(Naming the Interface)
(Naming the Interface)
Mountain (config-if)#security level 100
(Configuring the security level)
(Configuring the security level)
Mountain (config)#exit
Mountain (config)#exit
Let's verify the interface status
Mountain#show interface if brief
(Getting the brief interface status)
(Getting the brief interface status)
Similarly we have too configure the second Interfaces.
Interface gigabitEthernet 2
Ip address 192.168.2.1/24
Name it DMZ
Security level 75
Ip address 192.168.2.1/24
Name it DMZ
Security level 75
Commands:
Mountain#configure terminal
Mountain (config)#interface gi 2
Mountain (config-if)#ip address 192.168.2.1 255.255.255.0
Mountain (config-if)#nameif DMZ
Mountain (config-if)#no shut
Mountain (config-if)#security level 75
Mountain (config-if)#exit
Mountain (config)#exit
The sequence of the command doesn't matters.
Verification
Mountain#show interface if brief
And the third Interfaces.
Interface gigabitEthernet 0
Ip address 192.168.3.1/24
Name it Outside
Security level 0
Ip address 192.168.3.1/24
Name it Outside
Security level 0
Commands:
Mountain#configure terminal
Mountain (config)#interface gi 1
Mountain (config-if)#ip address 192.168.3.1 255.255.255.0
Mountain (config-if)#nameif Outsidr
Mountain (config-if)#no shut
And as we said Outside then pre-desined security level gets configured.
Mountain (config)#exit
Mountain (config)#exit
Verification
Mountain#show interface if brief
Friends, we have successfully configured all the basic requirements which were the part of agenda.
To get better clarification for the concepts, please watch the video tutorial linked above.
Also subscribe my Youtube channel for further updates and also like and comment your suggestions.
What does security level 100, 75 or 0 means?
ReplyDelete100 means inside securty default
Delete75 for dmz
0 for outside these are default on cisco asa
Security level 100 means inside interface, 0 means outside , 50/75 means Dmz
ReplyDeleteInterfaces on ASA are always give a security level.
ReplyDeleteIt ranges from 0 to 100, 100 being the highest sec and 0 being the lowest.
It’s given for traffic flow, for e.g. if we see water in the river, it will never flow from down to up it will always flow top to bottom.
Similarly in ASA traffic only flows from 100 interface to lower interface without any ACL. If you want to slow the traffic from o to you then need to have ACL.
Also one thing to mention, it’s up to us what Security levels we want the interface to be assisgbed. We can assign o, 80 or any number between 0 to 200 to any interface.