Security

Setting up a Cisco ASA 5510 firewall, part 3

Lauren Malhoit ties up the series on setting up a Cisco ASA 5510 firewall.

In the first part of this series we went through setting up the inside interfaces and static routes to enable communication on the inside.  Of course, what good is that if we don't have an outside route set up so your users can access YouTube and Facebook to their heart's content.

For this setup, you can either go back in the Start Up Wizard or click on the Configuration button and then select Device Setup in the bottom left.  Expand Routing in the Device Setup tree and highlight Static Routes.

You should see your previously configured inside routes, which in our example were 192.168.11.0 and 192.168.12.0.  Click the Add button again and we're going to create a default route to the Outside.

  1. Pick the interface that is connected to the outside (either by connecting to a VLAN that goes outside or directly connected to your ISP).
  2. In the Network Field, pick any, which is pre-populated in your Network list.
  3. In the gateway IP, choose the gateway that leads to your ISP. This will be an external IP address (meaning not in the 10.x.x.x, 172.16.x.x, or 192.168.x.x networks).
  4. Click OK

Now in the static routes you'll see the new route with the Outside interface that uses 0.0.0.0 for both the IP address and Netmask.  This should allow you to get out to the internet now because by default, the ASA allows traffic to flow freely from an inside network (which presumably has a higher security level) to an outside network (which is setup with a lower security level).  You can test whether this worked by going to Tools and clicking on Command Line Interface and pinging the IP address for Google.  You can find the IP for Google by doing an nslookup for Google on a computer that has specified DNS settings.  Your ASA may not be configured with DNS yet, so pinging the IP will be the only way to really test.  If you get 4 !s and a SUCCESS message, you'll know you have an outside connection!

If you would like to set up DNS on your firewall, that is a fairly simple process.  While still under Configuration, click on Device Management, and expand DNS in the tree.  Click on DNS client and enter the DNS information for your domain and enable it on your inside interface.  Then click apply.  You should now be able to ping Google from the CLI.

Now it's time to configure the Active Directory information.  Active Directory configuration is optional, but will allow you in the future to configure firewall ACLs and rules pertaining to users as well as IP addresses.

  1. You can stay in the Device Management tree, but expand Users/AAA.
  2. Click Add in the AAA Server Groups pane
  3. Name the Server Group and choose LDAP as the protocol
  4. Click OK
  5. Highlight your newly created server group
  6. Click Add under the Servers in the Selected Group pane
  7. Choose the interface, most likely your inside interface
  8. Enter the IP address of your Active Directory server
  9. Choose whether to enable SSL (you'll have to find out from your AD admin; hopefully that's you, too!)
  10. Choose Microsoft as your server type
  11. Your Base DN will look something like this:  CN=users,DC=domain,DC=com
  12. Pick a login DN and password that has access to your Active Directory and click OK.
  13. You can now test the connection by clicking Test on the right side.
  14. Apply and Save the settings.

The firewall is ready for normal maintenance and configuration now.  You can create firewall rules and ACLs to permit or deny traffic to and from different networks.  There are dozens if not hundreds of other features available to configure.  The Cisco ASA can be used as a firewall (routed or transparent), Intrusion Prevention System and a VPN (client/clientless IP Sec. and/or SSL, and site-to-site)  This three part series of blog posts will get everyone started and somewhat familiar with the ASDM interface of the Cisco ASA 5510.

About

Lauren Malhoit has been in the IT field for over 10 years and has acquired several data center certifications. She's currently a Technology Evangelist for Cisco focusing on ACI and Nexus 9000. She has been writing for a few years for TechRepublic, Te...

2 comments
RyanJP
RyanJP

Have you considered similar posts with Fortinet hardware?

lmalhoit
lmalhoit

I would like to do these kinds of posts with all kinds of equipment! However, I don't have any Fortinet stuff to play with, so that specifically won't be coming any time soon probably.