Administer Cisco ASA: Mastering CLI Management

Posted on Christian By Christian No Comments on Administer Cisco ASA: Mastering CLI Management
firewall management

Having discussed how to administer Cisco ASA using the ASDM, here is a brief description of some important parameters.

Interface: Identify the hardware interface or switch vlan interface. Enter interface config mode (e.g. e0/1) to assign and activate the switch port.

Note: Names and security levels can also be assigned to a VLAN interface.

Nameif: This gives the interface a name and at the same time, assigns a security level such as outside, inside, or DMZ.

Security-level: These are numeric values from 0 to 100 used by the ASA to control traffic flow. Traffic flows only from higher to lower security levels, not vice versa. To permit access from lower levels, use access lists. The default security for the outside interface is 0.

Configuring VLAN Interfaces and DMZ Security Level in Cisco ASA

Here are the steps for assigning virtual interfaces to Cisco ASA. First, we assign the inside and outside VLAN interfaces. Next, we configure the DMZ interface, assigning a security level of 50 in the configuration below.

ASA(config)# interface vlan1
ASA(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ASA(config-if)# interface vlan2
ASA(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
ASA(config-if)# interface vlan3
ASA(config-if)# nameif dmz
ASA(config-if)# security-level 50

IP Address: They assign an IP address to a VLAN interface, either statically or dynamically, making it a DHCP Client.
With recent versions of ASA software, it is not vital to configure default subnet masks as we can see below. But when using a classless mask, you have to expressly configure the mask, otherwise, it is is not important.

In this demonstration, the IP address assigned to VLAN 2, the outside interface. Note: Ethernet port 0 is used in connecting to the outside world and belongs to VLAN 2.

ASA(config-if)# interface vlan 2
ASA(config-if)# ip address x9.xx.3x.21

Assigning a DHCP address to a cisco ASA interface, here we are configuring interface VLAN 1, the inside interface as a DHCP client in order to be able to get an IP address. Note: Setroute ensures the it gets all its IP parameters from the DHCP server.

ASA(config-if)# interface vlan 1
ASA(config-if)# ip address dhcp setroute
Assigning Ports to Vlans: In this step you can assign ports to the particular VLAN you want as shown below. e.g you want to add e0/0 to vlan 2
ASA(config-if)# interface ethernet 0/0
ASA(config-if)# switchport access vlan 2
ASA(config-if)# no shutdown

and lastly

ASA(config-if)# interface ethernet 0/1
ASA(config-if)# switchport access vlan 1
ASA(config-if)# no shutdown

Configuring IP-Based Network Object: Object network ‘MyNameD’

Network Object: Object network “MyNameD”. The object network “MyNameD” can basically be any word or number which is used to create an object named “MyNameD”. The network option specifies that this particular object will be based on IP addresses. The subnet 10.1x.1.x 255.0.0.0 command states that “MyNameD” will affect any IP address beginning with 192.168.1x.x

ASA(config-if)#object network MyNameD
ASA(config-network-object)#subnet 10.1x.1.x 255.x.0.0

When you know how to administer Cisco ASA Network Address Translation (NAT): Enables the ASA to permit outgoing traffic from the inside interface to the outside interface to use any address dynamically or statically configured on the outside interface.

ASA(config)#nat (inside,outside) dynamic interface

Route: This command assigns a default route for traffic, typically to an ISP’s router. When you know how to administer Cisco ASA It can also be used to direct traffic specific to specific subnets.

In this example, the route command is used to configure a default route to the ISP’s router at 10.1x.1.x. These two zeroes before the ISP’s router IP address are a short form of its full IP e.g 0.0.0.0 and a mask of 0.0.0.0. The statement outside identifies the interface through which traffic will flow to reach the default route.

ASA(config-if)# route outside 0 0 10.10.1.3

When you know how to administer Cisco ASA, you’ll encounter intriguing variations in interface configurations across different ASA models. Take a peek at the screen capture, perhaps from a Cisco ASA 5510, 5520, or 5540, and you’ll notice a distinctive twist: the ‘nameif’ command, a pivotal tool in your arsenal, takes the reins in labeling physical interfaces instead of VLAN interfaces. This is where the magic happens, as the VLAN interface then aligns harmoniously with this naming prowess, seamlessly guiding your ASA’s performance.

Rate this post
Network | Monitoring

Related Posts

More Related Articles

Screenshot 4 Veeam Agent for AIX: Initial Deploy/UUID Error Network | Monitoring
Featured image Two Factor Authentication Change Two-Factor Authentication in Microsoft 365/Office 365 Network | Monitoring
How to Block IP Addresses Using Group Policy (GPO) in Active Directory Block IP Addresses Using Group Policy (GPO) in Active Directory Network | Monitoring
Cannot save to the location Windows How to Fix Cannot Save to Windows System32 Default.rdp Error Network | Monitoring
Watchguard Firewall 180504 100511 1 Reset an XTM Firebox Device: Easy Guide Network | Monitoring
Add Nutanix AHV to Veeam Full Integration Guide on how to Add Nutanix AHV to Veeam Network | Monitoring

Leave a Reply