Lauren Malhoit describes how to change our Juniper firewalls for a couple of Cisco ASAs.
At one of my sites we've decided to change out our Juniper firewalls for a couple Cisco ASAs. This is nothing against Juniper, I'm just used to working with Cisco. I've planned on taking this step by step, because the top priority is getting a real VPN solution up and running. I really enjoy working with Cisco products, although at times their site can be a little difficult to navigate. So I'm hoping I can convey some step-by-step processes and resources that will be helpful to others in this post and future posts.
The first thing I did was start the roaring devices at my desk, so as to invite curious, non-geeky passersby to look at me like I had three heads...and to hook up a laptop using a network cable to do the initial firmware updates while seated comfortably at my desk. I connected to the first firewall by going to the default URL, which brings me to the ASDM. Most of my set-up will take place in the GUI. I apologize to you command-line junkies (refer here)
Once in the ASDM, the first thing I wanted to do is update the ASA and ASDM firmware. I put the Start Up wizard on hold for now and clicked on the Home button in the top left and selected the Device Dashboard tab. If you look at the top-left of the dashboard, under Device Information, you'll see details about the device including the ASA Version and ASDM version. I then went to the Cisco site to see what the most current versions were. My devices were a version behind so I signed into my Cisco SMARTNET account and downloaded the newest firmware, after checking that the ASDM and ASA versions I was downloading were compatible.
After the downloads completed, I went back to the ASDM and followed these steps:
- Go to Tools and click on Upgrade Software from Local Computer
- Under Image to Upload, select ASA (or ASDM depending) in the pull-down menu
- Click the Browse Local Files button and select the file you just downloaded (ex: asa***-**.bin).
- It may auto-populate the Browse Flash field, if not, click browse flash and choose the appropriate file name.
- Click on Upload Image
- Click Yes to set as boot-image
You will then receive a message that tells you where to go next, but in case you clicked through it without reading), here's a quick rundown of how to apply the upgrade.
- Go to tools and click on System Reload
- Make sure "Save running configuration at time of reload is selected under Configuration State.
- Make sure "Now" is selected under Reload Start Time.
- Click Schedule Reload
- After reload, check that the version (again, found in the Dashboard) make sure the version has been updated
Now that I have both devices up to date, I can rack them and start the initial configuration. I brought my laptop back in and while directly connected, brought up the ASDM again. I brought up the Start Up Wizard and clicked on Modify existing configuration. You can pretty much follow the wizard, but there are a few things worth pointing out. The initial interface you set-up is mostly likely your "outside" or "untrusted" network. Make sure you enable the interface, and have a valid external IP address to put in the "Use the following IP address." Then configure the rest of the interfaces, or at least the "inside" interface so you can connect to it from the network.
The next configuration step is to specify static routes. Obviously this will depend on what your network configuration looks like. I'll assume you have one inside subnet (ex: 192.168.10.0) going to the firewall and the rest of the subnetting is done via routers or layer 3 switches. If this is the case, there is no need to put your inside network (192.168.10.0) in the static routes, because it's already a connected route. However, if you have other subnets (i.e.: accounting = 192.168.11.0 and IT = 192.168.12.0) nodes in these networks will need to be told where to go to get an outside connection.
- Click on Add in the Static Routes window
- Choose the Interface (in this case "Inside").
- Click the Network Button and click on Add in the Browse Network Window
- Give the network a name (ex: IT) and choose Network as the type.
- Put the network address (ex: 192.168.12.0) and a description if you like and click OK
- Back in the Browse Network window choose the Network you just configured and click OK, which will populate the Network field.
- In the gateway IP, specify the gateway configured on the router or layer 3 switch (ex: 192.168.12.1) and click OK.
After following these steps, you'll have updated firewall devices and inside interfaces configured. This is most of the battle for just getting the devices up. In the next post I'll go through setting up the outside interface and allowing management so you can get out of the cacophonous server room and do the rest from your cushy desk chair.