Cisco ASA 5505 Firewall Initial Setup: Cisco ASA Training 101

asa 5505
This is a topic that many people are looking for. thevoltreport.com is a channel providing useful information about learning, life, digital marketing and online courses …. it will help you have an overview and solid multi-faceted knowledge . Today, thevoltreport.com would like to introduce to you Cisco ASA 5505 Firewall Initial Setup: Cisco ASA Training 101. Following along are instructions in the video below:

hello and welcome to Cisco aasa training 101 my name is Don Crawley Im from sound training net were the Seattle Washington based provider of accelerated training and publisher of learning resources for IT professionals this time were doing Cisco AAS a security appliance initial set up its based on chapter one in my book The Accidental administrator Cisco a sa security appliance the book is not required for the video but if youd like to get a copy to follow along its available through Amazon and other resellers or you can visit our website at www.traknetpm.com firewall what we want to do is we want to limit where connections can be initiated and thats the important concept here so a firewall allows your internal users to initiate a connection to say the public internet maybe a website or a mail server or FTP server something like that but it prohibits Internet users from being able to initiate a connection to the internal network and that at its core is what a firewall is all about now you take a sophisticated device like a Cisco a sa security appliance and certainly can do lots more than just that but at its core that is basic firewall functionality now we can break firewalls down into two broad families theres desktop and network firewalls heres the difference desktop firewall is typically a software application that is installed on a computer such as what youre seeing here the windows 8 firewall a network firewall is a typically a purpose-built device you can certainly install Network firewall software on a general-purpose PC but its typically a purpose-built device such as what you see here with the Cisco AAS a family of firewalls the difference is that a desktop firewall is designed to protect an individual node on a network and a network firewall is placed at the network edge and its designed to protect an entire network one question that comes up frequently in my classes and just in discussions in general especially with people who are new to networking is if I have a network firewall such as a Cisco a sa at the edge of my network do I need to install the desktop firewall software do I need to activate it on my individual computers in my network and the answer is yes yes yes you do because depending on the statistic Ive read varying numbers but the point is that a large percentage of of security breaches are caused from internal sources and a network firewall would have nothing to do with something like that maybe you have a user who brings in an infected USB flash drive or or since this is a BYOD bring your own device world today that we live in maybe they bring in an infected system and say a worm is released into your network and systems that arent protected with a desktop or an application firewall like that would be subject to compromise and so a desktop firewall protects your internal systems while a network at the edge a network firewall at the edge of your network protects all of the network in general but its not going to have any effect on somebody bringing in an infected cd-rom drive for example so you need both now one other comment on this before we move on a lot of times people will say well thats such a pain to configure and Ive got to manage them and they complain about that well but thats what tools like Microsoft group policy are designed for so if youre new to networking one of the best gifts you can give yourself is to learn how to use centralized management tools such as group policy Im not going to go into any more detail on that but but the point of this slide is that you need both you need a desktop firewall to protect your individual nodes in a network firewall at the edge to keep the bad stuff out of your network the cisco a sa family firewall starts with the small office home office version which is the 5505 thats the one you see in the upper right hand corner of the graphic and it goes all the way up through the the 55 10 20 40 50 the X series such as 55 15 X all the way up into the 55 80 85 series which are designed for provider class applications were going to be doing the demo using a 5505 but again what Im going to show you should be relevant no matter which version of the a si software youre working with or or the a si platform youre working with lets take a look at the front of the 5505 then well take a look at the back in the lower left hand corner you see a USB 2.0 port that is inactive and its reserved for future use its been reserved for future use since the ASAs first came out back in the mid-2000s so Im not sure what Cisco is planning to do with that you would think that by now it would be active for something but its not then moving along there are eight indicator lights along the top that indicate a link activity and eight along the bottom then indicate that youre connected at fast ethernet speeds then on the right hand side theres a power indicator meaning the unit is receiving power a status if its flashing that means the unit is booting if its solid then the unit is either booted or its nearly booted active means its processing traffic VPN means that it has a VPN connection and SSC means that there is a card in the security services card slot on the back lets take a look at the bat so here is the back of an a sa 5505 and in the upper left hand corner you see the security services card slot that is for adding additional functionality through cards the lower left-hand corner theres the power port and then there are eight Ethernet ports and this is counter-intuitive listen carefully they are numbered from right to left not the way you would expect them to be so the port number zero is on the far right and the port number seven is on the far left typically we connect the outside to port 0 and the inside to ports one through seven you can configure it however you want but thats the default configuration also you need to be aware of the fact that port six and seven rpoe enabled so if you have say a an IP phone or an access point or a switch that is p OE powered then you can plug it into either of those two ports and power it off of the a si continuing to the right there are two more USB 2.0 ports that are reserved for future use they are inactive as of the timing of this video and then theres a Cisco console port so youll need to get a Cisco console cable if you cringe at the thought of working in the command line get over it because when youre working with

Cisco devices there will be times where youll have to go into the command line and type some commands not that difficult and so make sure youve got a Cisco console cable far right theres a security lock slot and then right below that is a reset button reset button like the USB ports is reserved for future use so as of right now at least based on my research that I did prior to producing the video and and experimenting in my lab it still does nothing you can push it and nothing will happen now theres an important concept that you need to understand relative to Cisco security appliances and that is the concept of security levels we assign security levels to interfaces and then the traffic can flow from a network behind a security level that is high to a network behind a security level that is low relatively and impeded so here you see the office land the interface connected to the office land is a security level of 100 and the Internets interface has a security level of zero that simply means that traffic can flow from the office land to the internet fundamentally unimpeded but not the other way around again it kind of goes back to the first slide that we showed you about initiating connections in other words you can initiate a connection from the office land of the internet because the office land is a security level of 100 but not from the Internet to the office land now one comment before we go on you may notice that the dmz as a security level of 50 and theres a web server and a mail server up in the DMZ in the upper left-hand corner so youre thinking well okay so how does an internet user get to the web server in the DMZ since the DMZ has a security level of 50 and the Internet has a security level of zero and the answer is we poke a hole in the firewall using a combination of an access control list in a static NAT statement to allow specific traffic flows to get to either the web server the mail server now were not going to go into any more detail on that but just for right now just know that that is possible and that thats how that works prerequisites for this lesson you should have the following unrestricted privilege mode access to a cisco aasa security appliance the one Im using is a 55 5:05 youll want it configured as a DHCP server which will happen automatically when you apply the default configuration but if for some reason you dont want a DHCP server in there then youll need to manually assign an IP address to your management workstation and thats the next requirement is a computer for your management workstation Im going to be using a computer running Microsoft Windows 8 but you could use an older version of Windows or a Mac or Linux system youll also need an Ethernet cable a Cisco console cable and if your management workstation doesnt have a comport on it and lets face it most of them dont today then youll also need a USB to serial adapter and heres a picture of the Cisco console cable theyre pretty widely available you can make them if you want to get them on eBay or you can buy a new one from Cisco but theyre pretty pricey from Cisco you also if you dont have a comport on your PC then youll need a USB to serial adapter such as the one Im showing you on the far right be careful on which one you get if you get a cheap one a lot of times youll have problems with the the chipset not being compatible with the Windows operating system or whatever operating system youre using so you just want to be prepared to spend you know maybe 35 or 40 bucks to get a good one and make sure that it is if youre using with Windows that it is logo certified now heres the network diagram that were going to be working from as you can see its pretty simple weve got a serial console cable connected from the management workstation either the comm port or through a USB to serial adapter to a USB port on the management workstation going to the console port on the firewall and then we also have an Ethernet cable connected to port one not port 0 on the a SA thats confusing so lets just take a quick look at it heres the back of the a sa and you want to connect to port 1 thats the second from the right port on the back of the a si heres your disclaimer this video is provided solely as a courtesy to you our viewer there are no guarantees whatsoever please do not attempt these procedures on a production firewall without first testing them for security and suitability in a lab environment these procedures will destroy your file walls existing configurations so if youre doing this on a firewall thats already configured you may want to do a backup and well cover that in a different video also performing these procedures may open your firewall to the public internet and subject your network to attack so make sure you have current backups take precautions including data encryption and additional access controls to protect sensitive data just generally good advice anyway so here we go lets start by erasing the existing configuration now that may not be something you want to do but I want to demonstrate this with a completely clean configuration so youll notice the prompt is showing a si0 one thats an arbitrary host name that I gave to the aasa and were going to go into privilege mode so Ill type en which is short for enable and it prompts me for the password I dont have a password on this one since its just in my lab so just hit enter and now Im in privileged mode the difference is that in user mode where Ive limited access to commands the prompt is a greater than sign and in privileged mode where I buy all access to all commands the prompt is a pound sign now were going to erase the existing configuration with a command right erase which I can abbreviate with W R space ER thats short for write erase and its going to prompt me and Im going to confirm by hitting Enter it whirs for a moment and it says okay youve done it youve blown away the configuration in flash memory now the the firewall will continue to function because right now the configuration lives in dynamic Ram but as soon as I power cycle or reload the device its going to try to read its saved configuration from flash memory and its not there lets just take a look lets do the command show startup config I could have preview that show start notice that it says no config so were going to say reload no confirm and thats going to reload the device without asking for confirmation

there it goes and well do a quick edit and come back when its completely reloaded and ready for us to work with so now through the miracle of digital editing weve rebooted in record time and you can see that theres a prompt at the bottom says pre configure the firewall now through interact prompts and you actually could go through that process but were not going to do that for the purpose of the video so Im going to say no and now lets go into privilege mode notice that the prompt is changed by the way it now says Cisco aasa thats because the old config is completely gone in fact lets go ahead and go into privilege mode en short again for enable theres no password so well just hit enter and lets do the command show startup config which we can abbreviate show start again theres still no configuration now lets go into global configuration mode with a command configure terminal which we can abbreviate just conte ste and its asking if we want to enable anonymous error reporting and maybe you do maybe you dont for our purpose in the video Im going to say no Cisco would appreciate it if you would but again thats a personal preference and were going to issue the command config factory default to apply a default configuration to these security appliance and then we can go in and modify it in the GUI but right now lets just issue the command config factory default notice that Ive just typed config space fact and Im going to touch the tab key and notice that it just completes the command for me thats pretty slick and I could by the way provide an IP address here if I want to change the management interface on my security appliance I could put in the IP address right now and it would apply that to the management interface but Im going to say just leave it as is and use the defaults well go ahead and hit enter watch what happens now its applying the factory default configuration it doesnt prompt me it doesnt say hey were about to mess with your config it doesnt say are you sure it just does it so be aware of that were going to touch the space bar at each of the more prompts and almost done and now it is its complete and lets go ahead and save this with a command right which is short for right mem so I can just type W R and now lets take a look at the saved configuration now show start and see now it has a configuration in flash memory so if there were a power event or we reloaded the firewall it would come back and would actually have a configuration on it now as opposed to before where it didnt touch cue to break out of this and were all set lets go ahead and bring up a browser and take a look at running the ASTM the adaptive security device manager and continuing the configuration through that so weve got Internet explorer open you can use a different browser but Ive had better luck with Internet Explorer and using the ASTM than the other two browsers Chrome and Firefox personal preference I recommend use IE I think youll find its a little less problematic but again personal preference were going to type in HTTPS and thats important you must use secure HTTP to connect to the firewall otherwise youll end up with an error were going to type in the IP address of the inside interface so thats going to be 192.168.1.1 thats the default if you configured it with some other address then youll need to use that well go ahead and hit enter and you get a security warning just click through that in the real world you may want to check and make sure that youre connecting to where you think you are now notice down at the bottom it says this webpage wants to run the following add-on and its asking if its okay to run Java you need to do that so well click on allow and notice what happens now to the ASTM splash page it gives us three options one is to install the ASTM launcher and were not going to do that for this video although I do have another video where I show you how to do that you could also run ASTM or you can run the startup wizard really theres not a lot of difference between running ASTM and running the startup wizard other than run startup wizard runs ASTM and then it starts the startup wizard so thats what were going to do click on the run startup wizard button and close the process of starting java and well get some certificate warnings thats fairly normal and just make sure you know what youre connecting to well click on yes and now its asking us for our username and password well we didnt configure one so well just simply click OK and its going to worry for a moment then itll come back and actually start the ASTM and then it will kick in the startup wizard as well and here it goes well get a warning about letting Cisco know reporting about errors and how we use it well bypass that theres the warning well its called smart call home and well just not enable that Cisco would like us to but for the purpose of the video were going to bypass that click on OK and theres our startup wizard just finish getting the data from the device and now were ready to go and youll notice that we have two options one is to modify the existing configuration or reset the configuration to the factory defaults and since weve already reset it to the factory defaults we just want to modify the existing configuration tweak it a little bit so well click on next and notice that it says configure the device for teleworker usage as an option that would allow us to set it up for remote access VPN usage and remote management that sort of thing were not going to do that were just going to configure it as a standalone device this is just setting up the very basic a sa like its configured in thousands maybe millions of offices small offices and home offices around the world now lets give it a hostname and so Im just going to call it a sa zero one not feeling particularly creative here so well go with that and now well choose our domain name youll probably want to use something other than what Im using but Ill use my company name will change the privilege mode password this is the password that you use to get into privilege mode thats what the name says and so you want to use something fairly robust whatever you choose Im going to put in just one that I like to use for this purpose and well click Next now its a page about configuring VLANs if youre working with a fifty five ten

twenty forty fifty one of the x-series youre not going to see this but for the 5505 since it has a built in eight port switch and the interfaces that it uses our physical interfaces that are made members of VLANs we have to configure the VLANs and so well configure two of them were not going to configure the DMZ so well just choose do not configure for the DMZ and well clear this checkbox and well click Next now its asking for us to assign switch ports to VLANs and were going to go with the default configuration but I just want to point out that by default it associates Ethernet 0/0 thats the port 0 the the farthest rightmost port on the back of the firewall with the outside VLAN which is VLAN 2 by default and it associates ports 1 through 7 or is it labels them Ethernet 0 / 1 through 0 / 7 with VLAN 1 the inside VLAN we dont need to make any changes here so well simply click Next and go on now its asking us to assign IP addresses to the interfaces and were going to use DHCP to get our IP address on the outside VLAN if you need to assign a static then you can push the radio button that says use the following IP address and put in whatever address you need in and the appropriate mass but were going to use DHCP theres one thing we need to do here and that is to check the box for obtain default route using DHCP and we want to do that typically we would do that I think because were going to get that from our our ISP and we want to use their router as the as the default route and so I think for most most of the time youll want to do that now lets do the inside and we can just leave it at the default if you need to change it for some reason then go ahead and do that but I think most of the time youll probably leave it as the default and well click Next now were enabling the DHCP server and as you can see by default it wants to do that on the inside interface the only thing we really need to configure here are how its going to get the DNS settings and maybe you want to check the box for enable auto configuration from the interface if you do that its going to pull all of those settings from your ISPs DHCP server I tend to like to use Open DNS for my DNS server so Im going to set that up here but this is really a matter of personal preference for you so Open DNS if youre not familiar with it just search on it and youll see what its about but its a an Open DNS server that anybody can use so Im going to enter their two DNS servers 208 dot 67 dot 2 2 2 2 2 2 for the first one and for the second one 208 dot sixty 7.2 2 0 2 2 0 we dont need to configure a winna server if you need to do that youll know what the address is but most of you probably wont need to do that our lease length were going to set to one day so thats 86,400 seconds which is the default our ping timeout were going to set to 50 milliseconds again the default oops lets type that and our domain name this is the domain name thats handed out to the DHCP clients and Ill set that again to sound training net youll probably want to use your own and now were ready so well click on next next is using port address translation and probably youre going to want to use port address translation and in order to do that well simply push the radio button that says use port address translation and well accept the default of use the IP address on the outside interface what this is this allows all of your inside clients to share an IP address on the outside and thats the typical configuration you know if youre using a little Linksys or a Netgear home router thats what it does and so for most purposes this is what youre going to want to do if you need to do it a different way youll probably know that and then you can configure it accordingly well click on next now this is the page where we configure administrative access and its all setup this is simply saying who can connect to the a SDM and its fine as it is so well click on next and its giving us a summary of what weve done and take a look at it make sure its what you expect and when youre satisfied click on finish delivers the commands to the device and now it wants a network password now we dont have a user name configured yet so well tab down to the password field and enter the password that we just configured and click on login and away we go in a moment youll see the ASTM with the new configuration you can tell that its the new configuration because remember we gave it a new hostname and if you look in the upper left-hand corner it says the hostname is now a sa 0 1 a couple of other things that you probably want to do down to the very bottom lets enable logging so you can see whats going on thats handy when youre troubleshooting or just want to kind of see whats going on with the system the other thing that I like to do is up under the Tools menu click on Tools and go to preferences and theres an option to allow you to preview commands before the ASTM sends them to the device and I like to do that just so I can see what the command line commands are so well check that box that says preview commands before sending them to the device well click on OK and and were good now weve got a fully functioning AAS a security appliance configured through the ASTM and thats how you do the very basic configuration we have other videos where weve shown you how to set up a VPN or how to set up dmz s and some of the other aspects of administration but this is where it all starts if youd like more information visit our website at www.traknetpm.com training dotnet slash blog either way you can follow us on Google+ Facebook and Twitter if youd like more videos there on our video channel were adding new videos all the time usually several a week at wwm training Nets videos if youd like the companion book Id love for you to have a copy of it its available through our book store at www.weiu.net slash bookstore or you can find it at Amazon or through other internet resellers well I hope its been helpful for you for sound training dotnet Im Don Crowley well see you next time

tags:
cisco asa, asa cisco, how do i setup a cisco asa, vpn, vlan, setup wizard, config factory-default, write erase, cisco asa security appliance, cisco setup, Se…
Thank you for watching all the articles on the topic Cisco ASA 5505 Firewall Initial Setup: Cisco ASA Training 101. All shares of thevoltreport.com are very good. We hope you are satisfied with the article. For any questions, please leave a comment below. Hopefully you guys support our website even more.