Having discussed how to administer Cisco ASA using the ASDM, here is a brief description of some important parameters.
Interface: Identify the hardware interface or switch vlan interface. Enter interface config mode (e.g. e0/1) to assign and activate the switch port.
Note: Names and security levels can also be assigned to a VLAN interface.
Nameif: This gives the interface a name and at the same time, assigns a security level such as outside, inside, or DMZ.
Security-level: These are numeric values from 0 to 100 used by the ASA to control traffic flow. Traffic flows only from higher to lower security levels, not vice versa. To permit access from lower levels, use access lists. The default security for the outside interface is 0.
Configuring VLAN Interfaces and DMZ Security Level in Cisco ASA
Here are the steps for assigning virtual interfaces to Cisco ASA. First, we assign the inside and outside VLAN interfaces. Next, we configure the DMZ interface, assigning a security level of 50 in the configuration below.
ASA(config)# interface vlan1
ASA(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ASA(config-if)# interface vlan2
ASA(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
ASA(config-if)# interface vlan3
ASA(config-if)# nameif dmz
ASA(config-if)# security-level 50IP Address: They assign an IP address to a VLAN interface, either statically or dynamically, making it a DHCP Client.
With recent versions of ASA software, it is not vital to configure default subnet masks as we can see below. But when using a classless mask, you have to expressly configure the mask, otherwise, it is is not important.
In this demonstration, the IP address assigned to VLAN 2, the outside interface. Note: Ethernet port 0 is used in connecting to the outside world and belongs to VLAN 2.
ASA(config-if)# interface vlan 2
ASA(config-if)# ip address x9.xx.3x.21Assigning a DHCP address to a cisco ASA interface, here we are configuring interface VLAN 1, the inside interface as a DHCP client in order to be able to get an IP address. Note: Setroute ensures the it gets all its IP parameters from the DHCP server.
ASA(config-if)# interface vlan 1
ASA(config-if)# ip address dhcp setroute
Assigning Ports to Vlans: In this step you can assign ports to the particular VLAN you want as shown below. e.g you want to add e0/0 to vlan 2
ASA(config-if)# interface ethernet 0/0
ASA(config-if)# switchport access vlan 2
ASA(config-if)# no shutdownand lastly
ASA(config-if)# interface ethernet 0/1
ASA(config-if)# switchport access vlan 1
ASA(config-if)# no shutdownConfiguring IP-Based Network Object: Object network ‘MyNameD’
Network Object: Object network “MyNameD”. The object network “MyNameD” can basically be any word or number which is used to create an object named “MyNameD”. The network option specifies that this particular object will be based on IP addresses. The subnet 10.1x.1.x 255.0.0.0 command states that “MyNameD” will affect any IP address beginning with 192.168.1x.x
ASA(config-if)#object network MyNameD
ASA(config-network-object)#subnet 10.1x.1.x 255.x.0.0When you know how to administer Cisco ASA Network Address Translation (NAT): Enables the ASA to permit outgoing traffic from the inside interface to the outside interface to use any address dynamically or statically configured on the outside interface.
ASA(config)#nat (inside,outside) dynamic interfaceRoute: This command assigns a default route for traffic, typically to an ISP’s router. When you know how to administer Cisco ASA It can also be used to direct traffic specific to specific subnets.
In this example, the route command is used to configure a default route to the ISP’s router at 10.1x.1.x. These two zeroes before the ISP’s router IP address are a short form of its full IP e.g 0.0.0.0 and a mask of 0.0.0.0. The statement outside identifies the interface through which traffic will flow to reach the default route.
ASA(config-if)# route outside 0 0 10.10.1.3When you know how to administer Cisco ASA, you’ll encounter intriguing variations in interface configurations across different ASA models. Take a peek at the screen capture, perhaps from a Cisco ASA 5510, 5520, or 5540, and you’ll notice a distinctive twist: the ‘nameif’ command, a pivotal tool in your arsenal, takes the reins in labeling physical interfaces instead of VLAN interfaces. This is where the magic happens, as the VLAN interface then aligns harmoniously with this naming prowess, seamlessly guiding your ASA’s performance.