The Cisco ASA 5510 Security Appliance belongs to the firewalls of the popular ASA 5500 line. These devices guarantee high level security of data transmission in the network environment of business enterprises of medium and small scale. PPPoE setup will also allow you to maintain secure access to the global Internet network from the computers of company employees.

Firewalls are offered to end users with a standard Base license or with an extended Security Plus license. Last option The license opens up the possibility of obtaining a new level of ASA performance when compared with the capabilities that are available through the Base license. If the standard license allows you to support up to 50,000 connections, then with the purchase of Security Plus you can get a firewall that will protect 130,000 connections. The maximum number of VLANs has also been increased. If earlier only 50 were available, then with the new license this number will double and amount to 100.

Cisco ASA 5510 has 5 ASA ports, which in the basic license can only support 10/100Mbps, and in Security licenses Plus it grows to 10/100/1000Mbps.

After purchasing a Security Plus license, it needs to be activated. To do this, you need to run the following commands:

telecombookASA(config)#activation-key 0xab12cd34

telecombookASA(config)#exit

telecombookASA#copy running startup

telecombookASA#reload

Next, consider an example of setting up access to the Internet. The Internet provider providing information services has allocated one static IP address 77.77.77.1. For internal network the space 172.16.10.0/24 will be used. For WAN, the Ethernet 0/0 interface is used, and for connecting devices within the network, the Ethernet 0/1 interface is used.

According to the logic, all devices of the internal network configuration will be included in VLAN 10 and the Ethernet 0/1.10 interface will need to be enabled. The ASA will be configured in such a way that IP addresses are automatically distributed to workstations. For this it will be used DHCP protocol. Let's configure NAT(PAT) for the internal-external network configuration.

The network topology will look like this:

The initial setup involves setting up a password to access the global configuration. To do this, use the enable password MyPass command, here MyPass is the password for accessing the device.

To configure an external interface, use the interface Ethernet0/0 command. The name is specified using the nameif outside command, the security level indicator is security-level 0, the IP address is ip address 77.77.77.1 255.255.255.252.

To configure the internal Ethernet0/1.10 interface and convert it to trunc 802.1q for VLAN 10, implement the following block:

telecombookASA(config-if)#no shutdown

telecombookASA(config)#interface Ethernet0/1.10

telecombookASA(config-if)#nameif inside

telecombookASA(config-if)#vlan 10

telecombookASA(config-if)#security-level 100

telecombookASA(config-if)#ip address 172.16.10.254 255.255.255.0

telecombookASA(config-if)#no shutdown

PAT setup

telecombookASA(config)#global (outside) 1 interface

telecombookASA(config)#nat (inside) 1 172.16.0.0 255.255.0.0

Default route setting:

telecombookASA(config)#route outside 0.0.0.0 0.0.0.0 77.77.77.2 1

!*1 – administrative distance.

Configuring a DHCP Server on the ASA

telecombookASA(config)#dhcpd dns 88.88.88.20

telecombookASA(config)#dhcpd address 172.16.10.1-192.168.10.240 inside

telecombookASA(config)#dhcpd enable inside

The complete config looks like this:

telecombookASA(config)#enable password MyPass

telecombookASA(config)#interface Ethernet0/0

telecombookASA(config-if)#nameif outside

telecombookASA(config-if)#security-level 0

telecombookASA(config-if)#ip address 77.77.77.1 255.255.255.252

telecombookASA(config-if)#no shutdown

telecombookASA(config)#interface Ethernet0/1

telecombookASA(config-if)#speed 100

telecombookASA(config-if)#duplex full

telecombookASA(config-if)#no nameif

telecombookASA(config-if)#no security-level

telecombookASA(config-if)#no ip address

telecombookASA(config-if)#no shutdown

In this part, we will look at working in ROMMON.
Working with ROMMON is more of an emergency job.
Typical emergencies are spoiled or by mistake remote image OS, or when you simply forgot your password.

If we want to simulate this situation, we will delete the OS file, and also reset the configuration:

config factory-default

We are connected by the console to ASA.
We go into ROMMON mode - during the timer, press Esc.

! rommon: interface ethernet0/0 address 10.0.0.1 server 10.0.0.2 file asa842-k8.bin tftpdnld

In this case, the ASA will boot the OS directly from tftp, and we will have control over the device already in the "normal" mode.

After booting in this mode, the enable password will be empty (press enter)

We will make further settings in accordance with the scheme:

So, in accordance with the scheme, we will configure the internal interface:

interface gigabitethernet 2 security-level 100 nameif inside ip address 192.168.2.253 255.255.255.0 no shutdown

Here on the interface we set the following parameters:
security level 100- Because the given interface is internal, we set it to the highest security-level, i.e. we trust him the most.
nameif inside- Defined a name for the interface. it important parameter, since this name will be used frequently in further settings.

IP address check:
You can check the IP addressing settings on the interfaces:

show running-config ip

Or ping:

By the way, a little about the console:
With an empty config, the password enable empty - just hit enter.

As known on the command router show can only be entered in privileged mode. If we are in configuration mode then the command should be given do show.
In the case of the ASA, the show command will work in any mode.
Abort command execution (eg. show running-config) can be done through the button " q".

OS image

boot system flash:/asa914-5-k8.bin

Without this command, the first available image will be loaded. operating system.

Checking the image to boot:

We rebuke

ASDM Image

So, we made sure that the internal interface is configured correctly, and ping is also passing.
So now we have a fully configured connection to the internal network and now we can configure the ability to manage Manage our ASA.

ASA management can be done in several ways:

• SSH- management through command line via the SSH protocol.
• ASDM- Graphical user interface.

In our particular case of working with GNS3, we use compatible with each other and with GNS3:
ASA Version 8.4(2)
ASDM Version 6.4(3)

For ASDM to work, we will also copy its file to flash:

asdm image flash:/asdm-643.bin

Checking ASDM working image:

To summarize, for the ASA to work properly, there must be two files on the flash:

• OS- for example asa914-5-k8.bin, an operating system file. Required to boot the system
• ASDM- for example asdm-643.bin, the file required for the ASDM admin panel to work.

Further settings

Enter the hostname:

Set enable password

enable password mysecretpassword

Create an admin user and enable authentication through the local database for SSH methods and HTTP.

username asaadmin password adminpassword privilege 15 aaa authentication ssh console LOCAL aaa authentication http console LOCAL

Here, by the way, we did not include aaa for telnet. In this case, the primary password for telnet will be determined by the command:

We generate the RSA key required for SSH to work:

crypto key generate rsa modulus 1024

For ASDM to work, enable https support:

http server enable http 192.168.2.0 255.255.255.0 inside ssh 192.168.2.0 255.255.255.0 inside

Here, the first command turns on the server, and the second determines who to let.

As you know, HTTPS requires a certificate to work. In this case, the ASA will use . This means that with each reboot the certificate will be regenerated.

In general, we can configure 3 types of certificates for ASA:

• Self Signed Temporary Certificate- own certificate that is generated every time the ASA boots
• Self Signed Permanent Certificate- own certificate, which is generated once
• Real Certificate from PKI- a certificate generated by a third-party Certificate Authority

We will return to this later.

For convenience, let's increase the timeout for SSH:

Checking HTTP, SSH, TELNET settings

show running-config aaa show running-config http show running-config ssh show running-config telnet

The task was to set

to allow servers and users to work local network enterprises.

servers are white

(Internet type 62.xxx) addresses and work through

User data is passed through

The servers have two network cards: one - in the local network, the other - the Internet, and are controlled through the local network. Therefore, access from the local network to the DMZ is not configured, because it is not needed.

A sample configuration is given below.

ASA Version 8.2(1)

Domain. Needed for SSH

domain-name strui.ru

Password for enable.

enable password 4aeeoLOxxxxxxjMx encrypted

passwd k0a6sN9ExxxxxxxxzV encrypted

Description of the interface looking at the Internet

interface Ethernet0/0

description Internet

security level 0

ip address 213.xxx.xxx.194 255.255.255.240

Description of the interface that looks into the local network

interface Ethernet0/1

description Local

security level 100

ip address 10.10.10.20 255.255.255.0

Description of the interface looking into the network of servers (DMZ)

interface Ethernet0/2

security level 50

ip address 62.xxx.xxx.177 255.255.255.240

This interface is disabled

interface Ethernet0/3

no security level

This interface is disabled (not tied to the local network). Used for

initial Cisco setup

interface Management0/0

nameif management

security level 100

ip address 192.168.1.1 255.255.255.0

ftp mode passive

Set the zone and time. Required for logs.

clock time zone MSK/MDD 3

clock summer-time MSK/MDD recurring last Sun Mar 2:00 last Sun Oct 3:00

dns server-group DefaultDNS

List of access to the demilitorized zone to servers. incoming traffic.

access-list acl_in_dmz extended permit tcp any host 62.xxx.xxx.180 eq www

access-list acl_in_dmz extended permit tcp any host 62.xxx.xxx.180 eq ftp

access-list acl_in_dmz extended permit tcp any host 62.xxx.xxx.180 eq ftp-data

access-list acl_in_dmz extended permit tcp any host 62.xxx.xxx.181 eq www

access-list acl_in_dmz extended permit tcp any host 62.xxx.xxx.181 eq ftp

access-list acl_in_dmz extended permit tcp any host 62.xxx.xxx.181 eq ftp-data

access-list acl_in_dmz extended permit tcp any host 62.xxx.xxx.178 eq domain

access-list acl_in_dmz extended permit tcp any host 62.xxx.xxx.179 eq smtp

access-list acl_in_dmz extended permit tcp any host 62.xxx.xxx.179 eq pop3

access-list acl_in_dmz extended permit tcp any host 62.xxx.xxx.179 eq imap4

access-list acl_in_dmz extended permit tcp any host 62.xxx.xxx.184 eq 8081

access-list acl_in_dmz extended permit tcp any host 62.xxx.xxx.184 eq www

access-list acl_in_dmz extended permit tcp any host 62.xxx.xxx.185 eq www

access-list acl_in_dmz extended permit tcp any host 62.xxx.xxx.186 eq ftp

access-list acl_in_dmz extended permit tcp any host 62.xxx.xxx.186 eq ftp-data

access-list acl_in_dmz extended permit tcp any host 62.xxx.xxx.186 eq www

access-list acl_in_dmz extended permit tcp any host 62.xxx.xxx.189 eq www

access-list acl_in_dmz extended permit tcp any host 62.xxx.xxx.179 eq domain

access-list acl_in_dmz extended permit tcp any host 62.xxx.xxx.179 eq https

access-list acl_in_dmz extended permit tcp any host 62.xxx.xxx.182 eq smtp

access-list acl_in_dmz extended permit tcp any host 62.xxx.xxx.182 eq pop3

access-list acl_in_dmz extended permit tcp any host 62.xxx.xxx.182 eq imap4

access-list acl_in_dmz extended permit tcp any host 62.xxx.xxx.184 eq rtsp

access-list acl_in_dmz extended permit tcp any host 62.xxx.xxx.187 eq www

access-list acl_in_dmz extended permit tcp any host 62.xxx.xxx.188 eq www

Access list for servers from the DMZ. outgoing traffic.

access-list acl_out_dmz extended permit tcp any any

access-list acl_out_dmz extended permit udp any any

access-list acl_out_dmz extended permit icmp any any

access-list acl_out_dmz extended deny tcp host 62.xxx.19.76 host 213.xxx.36.194 eq 135

access-list acl_out_dmz extended deny tcp host 87.xxx.95.11 host 213.xxx.36.194 eq ftp

Access list for local network users.

Everything is allowed for outgoing traffic.

access-list acl_out_inside extended permit tcp 10.10.10.0 255.255.255.0 any

access-list acl_out_inside extended permit tcp 10.10.20.0 255.255.255.0 any

access-list acl_out_inside extended permit tcp 10.10.40.0 255.255.255.0 any

access-list acl_out_inside extended permit tcp 10.10.50.0 255.255.255.0 any

access-list acl_out_inside extended permit tcp 10.10.110.0 255.255.255.0 any

access-list acl_out_inside extended permit icmp 10.10.10.0 255.255.255.0 any

access-list acl_out_inside extended permit icmp 10.10.110.0 255.255.255.0 any

access-list acl_out_inside extended permit icmp 10.10.20.0 255.255.255.0 any

access-list acl_out_inside extended permit icmp 10.10.50.0 255.255.255.0 any

access-list acl_out_inside extended permit udp 10.10.10.0 255.255.255.0 any

access-list acl_out_inside extended permit udp 10.10.20.0 255.255.255.0 any

access-list acl_out_inside extended permit udp 10.10.110.0 255.255.255.0 any

access-list acl_out_inside extended permit udp 10.10.50.0 255.255.255.0 any

access-list acl_out_inside extended permit udp 10.10.40.0 255.255.255.0 any

Logging setup

logging timestamp

logging trap notifications

logging asdm informational

logging host inside 10.10.10.4

mtu outside 1500

mtu management 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global setting

global (outside) 1 interface

Setting up NAT for a local network

nat (inside) 1 0.0.0.0 0.0.0.0

Setting static for servers

nat (dmz) 0 0.0.0.0 0.0.0.0

static (dmz,outside) 62.xxx.xxx.180 62.xxx.xxx.180 netmask 255.255.255.255

static (dmz,outside) 62.xxx.xxx.181 62.xxx.xxx.181 netmask 255.255.255.255

static (dmz,outside) 62.xxx.xxx.178 62.xxx.xxx.178 netmask 255.255.255.255

static (dmz,outside) 62.xxx.xxx.179 62.xxx.xxx.179 netmask 255.255.255.255

static (dmz,outside) 62.xxx.xxx.184 62.xxx.xxx.184 netmask 255.255.255.255

static (dmz,outside) 62.xxx.xxx.185 62.xxx.xxx.185 netmask 255.255.255.255

static (dmz,outside) 62.xxx.xxx.186 62.xxx.xxx.186 netmask 255.255.255.255

static (dmz,outside) 62.xxx.xxx.189 62.xxx.xxx.189 netmask 255.255.255.255

static (dmz,outside) 62.xxx.xxx.187 62.xxx.xxx.187 netmask 255.255.255.255

static (dmz,outside) 62.xxx.xxx.188 62.xxx.xxx.188 netmask 255.255.255.255

We bind access-list through access-group to interfaces.

access-group acl_in_dmz in interface outside

access-group acl_out_inside in interface inside

access-group acl_out_dmz in interface dmz

We register routing for interfaces.

route outside 0.0.0.0 0.0.0.0 213.xxx.xxx.193 1

route inside 10.10.20.0 255.255.255.0 10.10.10.10 1

route inside 10.10.40.0 255.255.255.0 10.10.10.10 1

route inside 10.10.50.0 255.255.255.0 10.10.10.10 1

route inside 10.10.110.0 255.255.255.0 10.10.10.10 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

We allow work through the WEB face from the local network.

http server enable

http 10.10.10.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

We allow telnet and ssh to work on the local network.

telnet 10.10.10.0 255.255.255.0 inside

telnet timeout 5

ssh 10.10.10.0 255.255.255.0 inside

ssh 10.10.10.71 255.255.255.255 inside

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

Time server and user for WEB muzzle.

ntp server 10.10.10.3 source inside

username admin password trAp5eVxxxxxxnv encrypted privilege 15

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect h323 h225

inspect h323 ras

service-policy global_policy global

prompt hostname context

Cryptochecksum:58da28923df5a5f8d5192125f9b1796f

ASA Version 8.2(1)
!
!Cisco name
hostname asa
!Domain. Needed for SSH
domain-name strui.ru
!Password for enable.
enable password 4aeeoLOxxxxxxjMx encrypted
passwd k0a6sN9ExxxxxxxxzV encrypted
names
! Description of the interface looking at the Internet.
interface Ethernet0/0
description Internet
name if outside
security level 0
ip address 213.xxx.xxx.194 255.255.255.240
! Description of the interface that looks into the local network.
interface Ethernet0/1
description Local
nameif inside
security level 100
ip address 10.10.10.20 255.255.255.0
!
! Description of the interface looking into the network of servers (DMZ)
interface Ethernet0/2
description DMZ
nameif dmz
security level 50
ip address 62.xxx.xxx.177 255.255.255.240
!This interface is disabled
interface Ethernet0/3
shutdown
no nameif
no security level
no ip address
!This interface is disabled (not tied to the local network). Used for
!initial setup Cisco
interface Management0/0
nameif management
security level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
! Set the zone and time. Required for logs.
clock time zone MSK/MDD 3
clock summer-time MSK/MDD recurring last Sun Mar 2:00 last Sun Oct 3:00
dns server-group DefaultDNS
! List of access to the demilitorized zone to servers. incoming traffic.
access-list acl_in_dmz extended permit tcp any host 62.xxx.xxx.180 eq www
access-list acl_in_dmz extended permit tcp any host 62.xxx.xxx.180 eq ftp
access-list acl_in_dmz extended permit tcp any host 62.xxx.xxx.180 eq ftp-data
access-list acl_in_dmz extended permit tcp any host 62.xxx.xxx.181 eq www
access-list acl_in_dmz extended permit tcp any host 62.xxx.xxx.181 eq ftp
access-list acl_in_dmz extended permit tcp any host 62.xxx.xxx.181 eq ftp-data
access-list acl_in_dmz extended permit tcp any host 62.xxx.xxx.178 eq domain
access-list acl_in_dmz extended permit tcp any host 62.xxx.xxx.179 eq smtp
access-list acl_in_dmz extended permit tcp any host 62.xxx.xxx.179 eq pop3
access-list acl_in_dmz extended permit tcp any host 62.xxx.xxx.179 eq imap4
access-list acl_in_dmz extended permit tcp any host 62.xxx.xxx.184 eq 8081
access-list acl_in_dmz extended permit tcp any host 62.xxx.xxx.184 eq www
access-list acl_in_dmz extended permit tcp any host 62.xxx.xxx.185 eq www
access-list acl_in_dmz extended permit tcp any host 62.xxx.xxx.186 eq ftp
access-list acl_in_dmz extended permit tcp any host 62.xxx.xxx.186 eq ftp-data
access-list acl_in_dmz extended permit tcp any host 62.xxx.xxx.186 eq www
access-list acl_in_dmz extended permit tcp any host 62.xxx.xxx.189 eq www
access-list acl_in_dmz extended permit tcp any host 62.xxx.xxx.179 eq domain
access-list acl_in_dmz extended permit tcp any host 62.xxx.xxx.179 eq https
access-list acl_in_dmz extended permit tcp any host 62.xxx.xxx.182 eq smtp
access-list acl_in_dmz extended permit tcp any host 62.xxx.xxx.182 eq pop3
access-list acl_in_dmz extended permit tcp any host 62.xxx.xxx.182 eq imap4
access-list acl_in_dmz extended permit tcp any host 62.xxx.xxx.184 eq rtsp
access-list acl_in_dmz extended permit tcp any host 62.xxx.xxx.187 eq www
access-list acl_in_dmz extended permit tcp any host 62.xxx.xxx.188 eq www
! Access list for servers from the DMZ. outgoing traffic.
access-list acl_out_dmz extended permit tcp any any
access-list acl_out_dmz extended permit udp any any
access-list acl_out_dmz extended permit icmp any any
access-list acl_out_dmz extended deny tcp host 62.xxx.19.76 host 213.xxx.36.194 eq 135
access-list acl_out_dmz extended deny tcp host 87.xxx.95.11 host 213.xxx.36.194 eq ftp
!Access list for LAN users.
! Everything is allowed for outgoing traffic.
access-list acl_out_inside extended permit tcp 10.10.10.0 255.255.255.0 any
access-list acl_out_inside extended permit tcp 10.10.20.0 255.255.255.0 any
access-list acl_out_inside extended permit tcp 10.10.40.0 255.255.255.0 any
access-list acl_out_inside extended permit tcp 10.10.50.0 255.255.255.0 any
access-list acl_out_inside extended permit tcp 10.10.110.0 255.255.255.0 any
access-list acl_out_inside extended permit icmp 10.10.10.0 255.255.255.0 any
access-list acl_out_inside extended permit icmp 10.10.110.0 255.255.255.0 any
access-list acl_out_inside extended permit icmp 10.10.20.0 255.255.255.0 any
access-list acl_out_inside extended permit icmp 10.10.50.0 255.255.255.0 any
access-list acl_out_inside extended permit udp 10.10.10.0 255.255.255.0 any
access-list acl_out_inside extended permit udp 10.10.20.0 255.255.255.0 any
access-list acl_out_inside extended permit udp 10.10.110.0 255.255.255.0 any
access-list acl_out_inside extended permit udp 10.10.50.0 255.255.255.0 any
access-list acl_out_inside extended permit udp 10.10.40.0 255.255.255.0 any

! Logging setup
logging enable
logging timestamp
logging trap notifications
logging asdm informational
logging host inside 10.10.10.4
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu management 1500

no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400

! global setting
global (outside) 1 interface
! Setting up NAT for a local network
nat (inside) 1 0.0.0.0 0.0.0.0
! Setting static for servers
nat (dmz) 0 0.0.0.0 0.0.0.0
static (dmz,outside) 62.xxx.xxx.180 62.xxx.xxx.180 netmask 255.255.255.255
static (dmz,outside) 62.xxx.xxx.181 62.xxx.xxx.181 netmask 255.255.255.255
static (dmz,outside) 62.xxx.xxx.178 62.xxx.xxx.178 netmask 255.255.255.255
static (dmz,outside) 62.xxx.xxx.179 62.xxx.xxx.179 netmask 255.255.255.255
static (dmz,outside) 62.xxx.xxx.184 62.xxx.xxx.184 netmask 255.255.255.255
static (dmz,outside) 62.xxx.xxx.185 62.xxx.xxx.185 netmask 255.255.255.255
static (dmz,outside) 62.xxx.xxx.186 62.xxx.xxx.186 netmask 255.255.255.255
static (dmz,outside) 62.xxx.xxx.189 62.xxx.xxx.189 netmask 255.255.255.255
static (dmz,outside) 62.xxx.xxx.187 62.xxx.xxx.187 netmask 255.255.255.255
static (dmz,outside) 62.xxx.xxx.188 62.xxx.xxx.188 netmask 255.255.255.255
! We bind access-list through access-group to interfaces.
access-group acl_in_dmz in interface outside
access-group acl_out_inside in interface inside
access-group acl_out_dmz in interface dmz
! We register routing for interfaces.
route outside 0.0.0.0 0.0.0.0 213.xxx.xxx.193 1
route inside 10.10.20.0 255.255.255.0 10.10.10.10 1
route inside 10.10.40.0 255.255.255.0 10.10.10.10 1
route inside 10.10.50.0 255.255.255.0 10.10.10.10 1
route inside 10.10.110.0 255.255.255.0 10.10.10.10 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
! We allow work through the WEB face from the local network.
http server enable
http 10.10.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
! We allow telnet and ssh to work on the local network.
telnet 10.10.10.0 255.255.255.0 inside
telnet timeout 5
ssh 10.10.10.0 255.255.255.0 inside
ssh 10.10.10.71 255.255.255.255 inside
ssh timeout 30
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
! Time server and user for WEB muzzle.
ntp server 10.10.10.3 source inside
webvpn
username admin password trAp5eVxxxxxxnv encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:
: end

In this article, we will explain how to migrate from Cisco ASA 5500 firewalls (ASA 5510, ASA 5520, ASA 5540 and ASA 5550) to more modern ASA 5500-X (5512-X, 5515-X, 5525-X, 5545-X , 5555-X), what preliminary preparation will be needed, what points to pay attention to.

Here is an approximate correspondence between the devices of these two lines for the transition.

Preparing for migration

In order for the migration to happen quickly and without problems, you need to carefully prepare for it - check whether the requirements for hardware and software are met.

We check the following:

• availability of licenses for all new devices - previous licenses cannot be transferred, as they are tied to serial numbers specific devices, so you will need to purchase new licenses and use them on new hardware
• version software ASA for the 5500-X series must be at least 8.6, you simply cannot use older versions on these devices. If you only have an older version, download the newer version from cisco.com

You will need the following steps to prepare for migrating from the cisco 500 series:

• update Cisco Security Manager
• upgrade the software of all 5500 series equipment to version 8.4.2. If it works for you on ASA 8.3 software, just update it immediately to the required version, but if you are using an earlier version, we recommend that you do this not in one step, but in several operations, for example, from 7.4 to 8.0, then to 8.2 and on 8.4. on V8.3.

Alternatively, you can use the web-based NAT migration tool, contact TAC or customer support for it. This tool allows you to submit an existing configuration for processing with local computer, then performs the transformations and finally provides the user with an updated configuration that can simply be copied and saved to a file. Before using this tool, please read its limitations carefully.

• be sure to back up the configuration and save it in case something goes wrong and the configuration has to be restored. It is done by the CLI command copy or using the ASDM manager
• if you use , you need to backup its configuration too (via CLI or IDM/IME)
• when will you do backups configurations, be sure to export certificates and crypto keys from the old platform

Differences in hardware architecture of ASA 5500-X devices from the 5500 series

Naturally, the architecture of the new devices is somewhat different. Visually, you can notice the following differences:

• no SSM
• ASA and IPS services (if any) are physically managed through the same port
• higher density of I / O ports, only Gigabit ports are used

Because of these differences, you will need to change some things manually in configuration file 5500 series. Read below what exactly.

Editing the I/O port configuration

All ASA 5500 representatives have Gigabit ports, their configuration is already registered and nothing needs to be changed. The exception is the ASA 5510 without a SecPlus license, where there is no such port. Therefore, if we transfer the configuration from the 5510, we will need to change all the names of interfaces and subinterfaces to reflect that the new device has Gigabit ports.

Here is an example of how this is done (going from 5510 to 5515-X).

ASA 5510 Configuration

! physical interface

interface Ethernet0/1

no nameif

no security level

no ip address

no shutdown

! Creating Subinterfaces on interface E0/1 (two logical networks)

interface Ethernet0/1.120

vlan 1222

nameif fw-out

security level 50

ASA 5515-X reconfiguration

! physical interface

interface GigabitEthernet0/1

no nameif

no security level

no ip address

no shutdown

! Creating Subinterfaces on interface G0/1 (two logical networks)

interface GigabitEthernet0/1.1201

vlan 1222

nameif fw-out

security level 50

ip address 172.16.61.1 255.255.255.0

Management Port Configuration Changes

A significant difference in the ASA 5500-X platform is that IPS and firewall services have a common management port, but it cannot be used for any other purpose. Please note that after the transition it will not be possible to use it as a data port or as a configuration element with high-accesibility (in the 5500 series it was possible). If you did this on the previous platform, be sure to transfer the configuration settings of this management port to one of the Gigabit data ports with a number higher than G0/3 when migrating. The following shows how this is done using the example of migrating from ASA 5520 to ASA 5525-X.

ASA 5520 Configuration

interface Management0/0

no nameif

no security level

no ip address

no management-only

no shutdown!

! Subinterfaces on interface M0/0

interface Management0/0.120

vlan 1222

nameif fw-out

security level 50

ip address 172.16.61.1 255.255.255.0

ASA 5515-X configuration

! Dedicated Management Interface

interface Management0/0

no nameif

no security level

no ip address

management-only

no shutdown

! Management Interface Migrated to GigabitEthernet0/3

interface GigabitEthernet0/3

no nameif

no security level

no ip address

no shutdown

! Subinterfaces on interface G0/3

interface GigabitEthernet0/3.1201

vlan 1222

nameif fw-out

security level 50

ip address 172.16.61.1 255.255.255.0

The Cisco ASA 5500 does not have a GigabitEthernet0/3 interface, so when upgrading to a more late version, configurations should not conflict with each other.

Similarly, if you previously used the management interface for failover configuration, migrate it to a new, unused 5500-X interface.

How to correctly migrate ASA and IPS services? Several options are possible here, because, as mentioned above, for IPS services and firewall the 5500s now have a single shared management port instead of different ones. , we recommend that you carefully study them and choose the appropriate one.

Migrate an IPS Configuration

Directly when transferring the IPS configuration file manually, you will not need to change anything if you have completed all the necessary preparations described above. Just in case, double-check that the management port is configured correctly.

Don't forget that IPS is activated in two stages, for which you will need a license not only for the ASA device, but also for the IPS service itself.

Results

As you can see, the migration from ASA 5500 series devices to ASA 5500-X is performed in several stages, some of them are automated, and some will have to be done manually.

We tried to describe the main steps, in what order to do it, and what you should pay attention to so that after the transition, the new equipment will work correctly and perform the functions assigned to it.