The Cisco ASA 5510 Security Appliance belongs to the firewalls of the popular ASA 5500 line. These devices guarantee high level security of data transmission in the network environment of business enterprises of medium and small scale. PPPoE setup will also allow you to maintain secure access to the global Internet network from the computers of company employees.
Firewalls are offered to end users with a standard Base license or with an extended Security Plus license. Last option The license opens up the possibility of obtaining a new level of ASA performance when compared with the capabilities that are available through the Base license. If the standard license allows you to support up to 50,000 connections, then with the purchase of Security Plus you can get a firewall that will protect 130,000 connections. The maximum number of VLANs has also been increased. If earlier only 50 were available, then with the new license this number will double and amount to 100.
Cisco ASA 5510 has 5 ASA ports, which in the basic license can only support 10/100Mbps, and in Security licenses Plus it grows to 10/100/1000Mbps.
After purchasing a Security Plus license, it needs to be activated. To do this, you need to run the following commands:
telecombookASA(config)#activation-key 0xab12cd34
telecombookASA(config)#exit
telecombookASA#copy running startup
telecombookASA#reload
Next, consider an example of setting up access to the Internet. The Internet provider providing information services has allocated one static IP address 77.77.77.1. For internal network the space 172.16.10.0/24 will be used. For WAN, the Ethernet 0/0 interface is used, and for connecting devices within the network, the Ethernet 0/1 interface is used.
According to the logic, all devices of the internal network configuration will be included in VLAN 10 and the Ethernet 0/1.10 interface will need to be enabled. The ASA will be configured in such a way that IP addresses are automatically distributed to workstations. For this it will be used DHCP protocol. Let's configure NAT(PAT) for the internal-external network configuration.
The network topology will look like this:
The initial setup involves setting up a password to access the global configuration. To do this, use the enable password MyPass command, here MyPass is the password for accessing the device.
To configure an external interface, use the interface Ethernet0/0 command. The name is specified using the nameif outside command, the security level indicator is security-level 0, the IP address is ip address 77.77.77.1 255.255.255.252.
To configure the internal Ethernet0/1.10 interface and convert it to trunc 802.1q for VLAN 10, implement the following block:
telecombookASA(config-if)#no shutdown
telecombookASA(config)#interface Ethernet0/1.10
telecombookASA(config-if)#nameif inside
telecombookASA(config-if)#vlan 10
telecombookASA(config-if)#security-level 100
telecombookASA(config-if)#ip address 172.16.10.254 255.255.255.0
telecombookASA(config-if)#no shutdown
PAT setup
telecombookASA(config)#global (outside) 1 interface
telecombookASA(config)#nat (inside) 1 172.16.0.0 255.255.0.0
Default route setting:
telecombookASA(config)#route outside 0.0.0.0 0.0.0.0 77.77.77.2 1
!*1 – administrative distance.
Configuring a DHCP Server on the ASA
telecombookASA(config)#dhcpd dns 88.88.88.20
telecombookASA(config)#dhcpd address 172.16.10.1-192.168.10.240 inside
telecombookASA(config)#dhcpd enable inside
The complete config looks like this:
telecombookASA(config)#enable password MyPass
telecombookASA(config)#interface Ethernet0/0
telecombookASA(config-if)#nameif outside
telecombookASA(config-if)#security-level 0
telecombookASA(config-if)#ip address 77.77.77.1 255.255.255.252
telecombookASA(config-if)#no shutdown
telecombookASA(config)#interface Ethernet0/1
telecombookASA(config-if)#speed 100
telecombookASA(config-if)#duplex full
telecombookASA(config-if)#no nameif
telecombookASA(config-if)#no security-level
telecombookASA(config-if)#no ip address
telecombookASA(config-if)#no shutdown
In this part, we will look at working in ROMMON.
Working with ROMMON is more of an emergency job.
Typical emergencies are spoiled or by mistake remote image OS, or when you simply forgot your password.
If we want to simulate this situation, we will delete the OS file, and also reset the configuration:
config factory-default
We are connected by the console to ASA.
We go into ROMMON mode - during the timer, press Esc.
! rommon: interface ethernet0/0 address 10.0.0.1 server 10.0.0.2 file asa842-k8.bin tftpdnld
In this case, the ASA will boot the OS directly from tftp, and we will have control over the device already in the "normal" mode.
After booting in this mode, the enable password will be empty (press enter)
We will make further settings in accordance with the scheme:
So, in accordance with the scheme, we will configure the internal interface:
interface gigabitethernet 2 security-level 100 nameif inside ip address 192.168.2.253 255.255.255.0 no shutdown
Here on the interface we set the following parameters:
security level 100- Because the given interface is internal, we set it to the highest security-level, i.e. we trust him the most.
nameif inside- Defined a name for the interface. it important parameter, since this name will be used frequently in further settings.
IP address check:
You can check the IP addressing settings on the interfaces:
show running-config ip
Or ping:
By the way, a little about the console:
With an empty config, the password enable empty - just hit enter.
As known on the command router show can only be entered in privileged mode. If we are in configuration mode then the command should be given do show.
In the case of the ASA, the show command will work in any mode.
Abort command execution (eg. show running-config) can be done through the button " q".
OS image
boot system flash:/asa914-5-k8.bin
Without this command, the first available image will be loaded. operating system.
Checking the image to boot:
We rebuke
ASDM Image
So, we made sure that the internal interface is configured correctly, and ping is also passing.
So now we have a fully configured connection to the internal network and now we can configure the ability to manage Manage our ASA.
ASA management can be done in several ways:
- SSH- management through command line via the SSH protocol.
- ASDM- Graphical user interface.
In our particular case of working with GNS3, we use compatible with each other and with GNS3:
ASA Version 8.4(2)
ASDM Version 6.4(3)
For ASDM to work, we will also copy its file to flash:
asdm image flash:/asdm-643.bin
Checking ASDM working image:
To summarize, for the ASA to work properly, there must be two files on the flash:
- OS- for example asa914-5-k8.bin, an operating system file. Required to boot the system
- ASDM- for example asdm-643.bin, the file required for the ASDM admin panel to work.
Further settings
Enter the hostname:
Set enable password
enable password mysecretpassword
Create an admin user and enable authentication through the local database for SSH methods and HTTP.
username asaadmin password adminpassword privilege 15 aaa authentication ssh console LOCAL aaa authentication http console LOCAL
Here, by the way, we did not include aaa for telnet. In this case, the primary password for telnet will be determined by the command:
We generate the RSA key required for SSH to work:
crypto key generate rsa modulus 1024
For ASDM to work, enable https support:
http server enable http 192.168.2.0 255.255.255.0 inside ssh 192.168.2.0 255.255.255.0 inside
Here, the first command turns on the server, and the second determines who to let.
As you know, HTTPS requires a certificate to work. In this case, the ASA will use . This means that with each reboot the certificate will be regenerated.
In general, we can configure 3 types of certificates for ASA:
- Self Signed Temporary Certificate- own certificate that is generated every time the ASA boots
- Self Signed Permanent Certificate- own certificate, which is generated once
- Real Certificate from PKI- a certificate generated by a third-party Certificate Authority
We will return to this later.
For convenience, let's increase the timeout for SSH:
Checking HTTP, SSH, TELNET settings
show running-config aaa show running-config http show running-config ssh show running-config telnet
The task was to set
to allow servers and users to work local network enterprises.
servers are white
(Internet type 62.xxx) addresses and work through
User data is passed through
The servers have two network cards: one - in the local network, the other - the Internet, and are controlled through the local network. Therefore, access from the local network to the DMZ is not configured, because it is not needed.
A sample configuration is given below.
ASA Version 8.2(1)
Domain. Needed for SSH
domain-name strui.ru
Password for enable.
enable password 4aeeoLOxxxxxxjMx encrypted
passwd k0a6sN9ExxxxxxxxzV encrypted
Description of the interface looking at the Internet
interface Ethernet0/0
description Internet
security level 0
ip address 213.xxx.xxx.194 255.255.255.240
Description of the interface that looks into the local network
interface Ethernet0/1
description Local
security level 100
ip address 10.10.10.20 255.255.255.0
Description of the interface looking into the network of servers (DMZ)
interface Ethernet0/2
security level 50
ip address 62.xxx.xxx.177 255.255.255.240
This interface is disabled
interface Ethernet0/3
no security level
This interface is disabled (not tied to the local network). Used for
initial Cisco setup
interface Management0/0
nameif management
security level 100
ip address 192.168.1.1 255.255.255.0
ftp mode passive
Set the zone and time. Required for logs.
clock time zone MSK/MDD 3
clock summer-time MSK/MDD recurring last Sun Mar 2:00 last Sun Oct 3:00
dns server-group DefaultDNS
List of access to the demilitorized zone to servers. incoming traffic.
access-list acl_in_dmz extended permit tcp any host 62.xxx.xxx.180 eq www
access-list acl_in_dmz extended permit tcp any host 62.xxx.xxx.180 eq ftp
access-list acl_in_dmz extended permit tcp any host 62.xxx.xxx.180 eq ftp-data
access-list acl_in_dmz extended permit tcp any host 62.xxx.xxx.181 eq www
access-list acl_in_dmz extended permit tcp any host 62.xxx.xxx.181 eq ftp
access-list acl_in_dmz extended permit tcp any host 62.xxx.xxx.181 eq ftp-data
access-list acl_in_dmz extended permit tcp any host 62.xxx.xxx.178 eq domain
access-list acl_in_dmz extended permit tcp any host 62.xxx.xxx.179 eq smtp
access-list acl_in_dmz extended permit tcp any host 62.xxx.xxx.179 eq pop3
access-list acl_in_dmz extended permit tcp any host 62.xxx.xxx.179 eq imap4
access-list acl_in_dmz extended permit tcp any host 62.xxx.xxx.184 eq 8081
access-list acl_in_dmz extended permit tcp any host 62.xxx.xxx.184 eq www
access-list acl_in_dmz extended permit tcp any host 62.xxx.xxx.185 eq www
access-list acl_in_dmz extended permit tcp any host 62.xxx.xxx.186 eq ftp
access-list acl_in_dmz extended permit tcp any host 62.xxx.xxx.186 eq ftp-data
access-list acl_in_dmz extended permit tcp any host 62.xxx.xxx.186 eq www
access-list acl_in_dmz extended permit tcp any host 62.xxx.xxx.189 eq www
access-list acl_in_dmz extended permit tcp any host 62.xxx.xxx.179 eq domain
access-list acl_in_dmz extended permit tcp any host 62.xxx.xxx.179 eq https
access-list acl_in_dmz extended permit tcp any host 62.xxx.xxx.182 eq smtp
access-list acl_in_dmz extended permit tcp any host 62.xxx.xxx.182 eq pop3
access-list acl_in_dmz extended permit tcp any host 62.xxx.xxx.182 eq imap4
access-list acl_in_dmz extended permit tcp any host 62.xxx.xxx.184 eq rtsp
access-list acl_in_dmz extended permit tcp any host 62.xxx.xxx.187 eq www
access-list acl_in_dmz extended permit tcp any host 62.xxx.xxx.188 eq www
Access list for servers from the DMZ. outgoing traffic.
access-list acl_out_dmz extended permit tcp any any
access-list acl_out_dmz extended permit udp any any
access-list acl_out_dmz extended permit icmp any any
access-list acl_out_dmz extended deny tcp host 62.xxx.19.76 host 213.xxx.36.194 eq 135
access-list acl_out_dmz extended deny tcp host 87.xxx.95.11 host 213.xxx.36.194 eq ftp
Access list for local network users.
Everything is allowed for outgoing traffic.
access-list acl_out_inside extended permit tcp 10.10.10.0 255.255.255.0 any
access-list acl_out_inside extended permit tcp 10.10.20.0 255.255.255.0 any
access-list acl_out_inside extended permit tcp 10.10.40.0 255.255.255.0 any
access-list acl_out_inside extended permit tcp 10.10.50.0 255.255.255.0 any
access-list acl_out_inside extended permit tcp 10.10.110.0 255.255.255.0 any
access-list acl_out_inside extended permit icmp 10.10.10.0 255.255.255.0 any
access-list acl_out_inside extended permit icmp 10.10.110.0 255.255.255.0 any
access-list acl_out_inside extended permit icmp 10.10.20.0 255.255.255.0 any
access-list acl_out_inside extended permit icmp 10.10.50.0 255.255.255.0 any
access-list acl_out_inside extended permit udp 10.10.10.0 255.255.255.0 any
access-list acl_out_inside extended permit udp 10.10.20.0 255.255.255.0 any
access-list acl_out_inside extended permit udp 10.10.110.0 255.255.255.0 any
access-list acl_out_inside extended permit udp 10.10.50.0 255.255.255.0 any
access-list acl_out_inside extended permit udp 10.10.40.0 255.255.255.0 any
Logging setup
logging timestamp
logging trap notifications
logging asdm informational
logging host inside 10.10.10.4
mtu outside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global setting
global (outside) 1 interface
Setting up NAT for a local network
nat (inside) 1 0.0.0.0 0.0.0.0
Setting static for servers
nat (dmz) 0 0.0.0.0 0.0.0.0
static (dmz,outside) 62.xxx.xxx.180 62.xxx.xxx.180 netmask 255.255.255.255
static (dmz,outside) 62.xxx.xxx.181 62.xxx.xxx.181 netmask 255.255.255.255
static (dmz,outside) 62.xxx.xxx.178 62.xxx.xxx.178 netmask 255.255.255.255
static (dmz,outside) 62.xxx.xxx.179 62.xxx.xxx.179 netmask 255.255.255.255
static (dmz,outside) 62.xxx.xxx.184 62.xxx.xxx.184 netmask 255.255.255.255
static (dmz,outside) 62.xxx.xxx.185 62.xxx.xxx.185 netmask 255.255.255.255
static (dmz,outside) 62.xxx.xxx.186 62.xxx.xxx.186 netmask 255.255.255.255
static (dmz,outside) 62.xxx.xxx.189 62.xxx.xxx.189 netmask 255.255.255.255
static (dmz,outside) 62.xxx.xxx.187 62.xxx.xxx.187 netmask 255.255.255.255
static (dmz,outside) 62.xxx.xxx.188 62.xxx.xxx.188 netmask 255.255.255.255
We bind access-list through access-group to interfaces.
access-group acl_in_dmz in interface outside
access-group acl_out_inside in interface inside
access-group acl_out_dmz in interface dmz
We register routing for interfaces.
route outside 0.0.0.0 0.0.0.0 213.xxx.xxx.193 1
route inside 10.10.20.0 255.255.255.0 10.10.10.10 1
route inside 10.10.40.0 255.255.255.0 10.10.10.10 1
route inside 10.10.50.0 255.255.255.0 10.10.10.10 1
route inside 10.10.110.0 255.255.255.0 10.10.10.10 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
We allow work through the WEB face from the local network.
http server enable
http 10.10.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
We allow telnet and ssh to work on the local network.
telnet 10.10.10.0 255.255.255.0 inside
telnet timeout 5
ssh 10.10.10.0 255.255.255.0 inside
ssh 10.10.10.71 255.255.255.255 inside
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
Time server and user for WEB muzzle.
ntp server 10.10.10.3 source inside
username admin password trAp5eVxxxxxxnv encrypted privilege 15
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect h323 h225
inspect h323 ras
service-policy global_policy global
prompt hostname context
Cryptochecksum:58da28923df5a5f8d5192125f9b1796f
ASA Version 8.2(1)
!
!Cisco name
hostname asa
!Domain. Needed for SSH
domain-name strui.ru
!Password for enable.
enable password 4aeeoLOxxxxxxjMx encrypted
passwd k0a6sN9ExxxxxxxxzV encrypted
names
! Description of the interface looking at the Internet.
interface Ethernet0/0
description Internet
name if outside
security level 0
ip address 213.xxx.xxx.194 255.255.255.240
! Description of the interface that looks into the local network.
interface Ethernet0/1
description Local
nameif inside
security level 100
ip address 10.10.10.20 255.255.255.0
!
! Description of the interface looking into the network of servers (DMZ)
interface Ethernet0/2
description DMZ
nameif dmz
security level 50
ip address 62.xxx.xxx.177 255.255.255.240
!This interface is disabled
interface Ethernet0/3
shutdown
no nameif
no security level
no ip address
!This interface is disabled (not tied to the local network). Used for
!initial setup Cisco
interface Management0/0
nameif management
security level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
! Set the zone and time. Required for logs.
clock time zone MSK/MDD 3
clock summer-time MSK/MDD recurring last Sun Mar 2:00 last Sun Oct 3:00
dns server-group DefaultDNS
! List of access to the demilitorized zone to servers. incoming traffic.
access-list acl_in_dmz extended permit tcp any host 62.xxx.xxx.180 eq www
access-list acl_in_dmz extended permit tcp any host 62.xxx.xxx.180 eq ftp
access-list acl_in_dmz extended permit tcp any host 62.xxx.xxx.180 eq ftp-data
access-list acl_in_dmz extended permit tcp any host 62.xxx.xxx.181 eq www
access-list acl_in_dmz extended permit tcp any host 62.xxx.xxx.181 eq ftp
access-list acl_in_dmz extended permit tcp any host 62.xxx.xxx.181 eq ftp-data
access-list acl_in_dmz extended permit tcp any host 62.xxx.xxx.178 eq domain
access-list acl_in_dmz extended permit tcp any host 62.xxx.xxx.179 eq smtp
access-list acl_in_dmz extended permit tcp any host 62.xxx.xxx.179 eq pop3
access-list acl_in_dmz extended permit tcp any host 62.xxx.xxx.179 eq imap4
access-list acl_in_dmz extended permit tcp any host 62.xxx.xxx.184 eq 8081
access-list acl_in_dmz extended permit tcp any host 62.xxx.xxx.184 eq www
access-list acl_in_dmz extended permit tcp any host 62.xxx.xxx.185 eq www
access-list acl_in_dmz extended permit tcp any host 62.xxx.xxx.186 eq ftp
access-list acl_in_dmz extended permit tcp any host 62.xxx.xxx.186 eq ftp-data
access-list acl_in_dmz extended permit tcp any host 62.xxx.xxx.186 eq www
access-list acl_in_dmz extended permit tcp any host 62.xxx.xxx.189 eq www
access-list acl_in_dmz extended permit tcp any host 62.xxx.xxx.179 eq domain
access-list acl_in_dmz extended permit tcp any host 62.xxx.xxx.179 eq https
access-list acl_in_dmz extended permit tcp any host 62.xxx.xxx.182 eq smtp
access-list acl_in_dmz extended permit tcp any host 62.xxx.xxx.182 eq pop3
access-list acl_in_dmz extended permit tcp any host 62.xxx.xxx.182 eq imap4
access-list acl_in_dmz extended permit tcp any host 62.xxx.xxx.184 eq rtsp
access-list acl_in_dmz extended permit tcp any host 62.xxx.xxx.187 eq www
access-list acl_in_dmz extended permit tcp any host 62.xxx.xxx.188 eq www
! Access list for servers from the DMZ. outgoing traffic.
access-list acl_out_dmz extended permit tcp any any
access-list acl_out_dmz extended permit udp any any
access-list acl_out_dmz extended permit icmp any any
access-list acl_out_dmz extended deny tcp host 62.xxx.19.76 host 213.xxx.36.194 eq 135
access-list acl_out_dmz extended deny tcp host 87.xxx.95.11 host 213.xxx.36.194 eq ftp
!Access list for LAN users.
! Everything is allowed for outgoing traffic.
access-list acl_out_inside extended permit tcp 10.10.10.0 255.255.255.0 any
access-list acl_out_inside extended permit tcp 10.10.20.0 255.255.255.0 any
access-list acl_out_inside extended permit tcp 10.10.40.0 255.255.255.0 any
access-list acl_out_inside extended permit tcp 10.10.50.0 255.255.255.0 any
access-list acl_out_inside extended permit tcp 10.10.110.0 255.255.255.0 any
access-list acl_out_inside extended permit icmp 10.10.10.0 255.255.255.0 any
access-list acl_out_inside extended permit icmp 10.10.110.0 255.255.255.0 any
access-list acl_out_inside extended permit icmp 10.10.20.0 255.255.255.0 any
access-list acl_out_inside extended permit icmp 10.10.50.0 255.255.255.0 any
access-list acl_out_inside extended permit udp 10.10.10.0 255.255.255.0 any
access-list acl_out_inside extended permit udp 10.10.20.0 255.255.255.0 any
access-list acl_out_inside extended permit udp 10.10.110.0 255.255.255.0 any
access-list acl_out_inside extended permit udp 10.10.50.0 255.255.255.0 any
access-list acl_out_inside extended permit udp 10.10.40.0 255.255.255.0 any
! Logging setup
logging enable
logging timestamp
logging trap notifications
logging asdm informational
logging host inside 10.10.10.4
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
! global setting
global (outside) 1 interface
! Setting up NAT for a local network
nat (inside) 1 0.0.0.0 0.0.0.0
! Setting static for servers
nat (dmz) 0 0.0.0.0 0.0.0.0
static (dmz,outside) 62.xxx.xxx.180 62.xxx.xxx.180 netmask 255.255.255.255
static (dmz,outside) 62.xxx.xxx.181 62.xxx.xxx.181 netmask 255.255.255.255
static (dmz,outside) 62.xxx.xxx.178 62.xxx.xxx.178 netmask 255.255.255.255
static (dmz,outside) 62.xxx.xxx.179 62.xxx.xxx.179 netmask 255.255.255.255
static (dmz,outside) 62.xxx.xxx.184 62.xxx.xxx.184 netmask 255.255.255.255
static (dmz,outside) 62.xxx.xxx.185 62.xxx.xxx.185 netmask 255.255.255.255
static (dmz,outside) 62.xxx.xxx.186 62.xxx.xxx.186 netmask 255.255.255.255
static (dmz,outside) 62.xxx.xxx.189 62.xxx.xxx.189 netmask 255.255.255.255
static (dmz,outside) 62.xxx.xxx.187 62.xxx.xxx.187 netmask 255.255.255.255
static (dmz,outside) 62.xxx.xxx.188 62.xxx.xxx.188 netmask 255.255.255.255
! We bind access-list through access-group to interfaces.
access-group acl_in_dmz in interface outside
access-group acl_out_inside in interface inside
access-group acl_out_dmz in interface dmz
! We register routing for interfaces.
route outside 0.0.0.0 0.0.0.0 213.xxx.xxx.193 1
route inside 10.10.20.0 255.255.255.0 10.10.10.10 1
route inside 10.10.40.0 255.255.255.0 10.10.10.10 1
route inside 10.10.50.0 255.255.255.0 10.10.10.10 1
route inside 10.10.110.0 255.255.255.0 10.10.10.10 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
! We allow work through the WEB face from the local network.
http server enable
http 10.10.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
! We allow telnet and ssh to work on the local network.
telnet 10.10.10.0 255.255.255.0 inside
telnet timeout 5
ssh 10.10.10.0 255.255.255.0 inside
ssh 10.10.10.71 255.255.255.255 inside
ssh timeout 30
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
! Time server and user for WEB muzzle.
ntp server 10.10.10.3 source inside
webvpn
username admin password trAp5eVxxxxxxnv encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:
: end
In this article, we will explain how to migrate from Cisco ASA 5500 firewalls (ASA 5510, ASA 5520, ASA 5540 and ASA 5550) to more modern ASA 5500-X (5512-X, 5515-X, 5525-X, 5545-X , 5555-X), what preliminary preparation will be needed, what points to pay attention to.
Here is an approximate correspondence between the devices of these two lines for the transition.
Preparing for migration
In order for the migration to happen quickly and without problems, you need to carefully prepare for it - check whether the requirements for hardware and software are met.
We check the following:
- availability of licenses for all new devices - previous licenses cannot be transferred, as they are tied to serial numbers specific devices, so you will need to purchase new licenses and use them on new hardware
- version software ASA for the 5500-X series must be at least 8.6, you simply cannot use older versions on these devices. If you only have an older version, download the newer version from cisco.com
You will need the following steps to prepare for migrating from the cisco 500 series:
- update Cisco Security Manager
- upgrade the software of all 5500 series equipment to version 8.4.2. If it works for you on ASA 8.3 software, just update it immediately to the required version, but if you are using an earlier version, we recommend that you do this not in one step, but in several operations, for example, from 7.4 to 8.0, then to 8.2 and on 8.4. on V8.3.
Alternatively, you can use the web-based NAT migration tool, contact TAC or customer support for it. This tool allows you to submit an existing configuration for processing with local computer, then performs the transformations and finally provides the user with an updated configuration that can simply be copied and saved to a file. Before using this tool, please read its limitations carefully.
- be sure to back up the configuration and save it in case something goes wrong and the configuration has to be restored. It is done by the CLI command copy or using the ASDM manager
- if you use , you need to backup its configuration too (via CLI or IDM/IME)
- when will you do backups configurations, be sure to export certificates and crypto keys from the old platform
Differences in hardware architecture of ASA 5500-X devices from the 5500 series
Naturally, the architecture of the new devices is somewhat different. Visually, you can notice the following differences:
- no SSM
- ASA and IPS services (if any) are physically managed through the same port
- higher density of I / O ports, only Gigabit ports are used
Because of these differences, you will need to change some things manually in configuration file 5500 series. Read below what exactly.
Editing the I/O port configuration
All ASA 5500 representatives have Gigabit ports, their configuration is already registered and nothing needs to be changed. The exception is the ASA 5510 without a SecPlus license, where there is no such port. Therefore, if we transfer the configuration from the 5510, we will need to change all the names of interfaces and subinterfaces to reflect that the new device has Gigabit ports.
Here is an example of how this is done (going from 5510 to 5515-X).
ASA 5510 Configuration
! physical interface
interface Ethernet0/1
no nameif
no security level
no ip address
no shutdown
! Creating Subinterfaces on interface E0/1 (two logical networks)
interface Ethernet0/1.120
vlan 1222
nameif fw-out
security level 50
ASA 5515-X reconfiguration
! physical interface
interface GigabitEthernet0/1
no nameif
no security level
no ip address
no shutdown
! Creating Subinterfaces on interface G0/1 (two logical networks)
interface GigabitEthernet0/1.1201
vlan 1222
nameif fw-out
security level 50
ip address 172.16.61.1 255.255.255.0
Management Port Configuration Changes
A significant difference in the ASA 5500-X platform is that IPS and firewall services have a common management port, but it cannot be used for any other purpose. Please note that after the transition it will not be possible to use it as a data port or as a configuration element with high-accesibility (in the 5500 series it was possible). If you did this on the previous platform, be sure to transfer the configuration settings of this management port to one of the Gigabit data ports with a number higher than G0/3 when migrating. The following shows how this is done using the example of migrating from ASA 5520 to ASA 5525-X.
ASA 5520 Configuration
interface Management0/0
no nameif
no security level
no ip address
no management-only
no shutdown!
! Subinterfaces on interface M0/0
interface Management0/0.120
vlan 1222
nameif fw-out
security level 50
ip address 172.16.61.1 255.255.255.0
ASA 5515-X configuration
! Dedicated Management Interface
interface Management0/0
no nameif
no security level
no ip address
management-only
no shutdown
! Management Interface Migrated to GigabitEthernet0/3
interface GigabitEthernet0/3
no nameif
no security level
no ip address
no shutdown
! Subinterfaces on interface G0/3
interface GigabitEthernet0/3.1201
vlan 1222
nameif fw-out
security level 50
ip address 172.16.61.1 255.255.255.0
The Cisco ASA 5500 does not have a GigabitEthernet0/3 interface, so when upgrading to a more late version, configurations should not conflict with each other.
Similarly, if you previously used the management interface for failover configuration, migrate it to a new, unused 5500-X interface.
How to correctly migrate ASA and IPS services? Several options are possible here, because, as mentioned above, for IPS services and firewall the 5500s now have a single shared management port instead of different ones. , we recommend that you carefully study them and choose the appropriate one.
Migrate an IPS Configuration
Directly when transferring the IPS configuration file manually, you will not need to change anything if you have completed all the necessary preparations described above. Just in case, double-check that the management port is configured correctly.
Don't forget that IPS is activated in two stages, for which you will need a license not only for the ASA device, but also for the IPS service itself.
Results
As you can see, the migration from ASA 5500 series devices to ASA 5500-X is performed in several stages, some of them are automated, and some will have to be done manually.
We tried to describe the main steps, in what order to do it, and what you should pay attention to so that after the transition, the new equipment will work correctly and perform the functions assigned to it.