In this small article, speaker and veteran I.T. guy Don R. Crawley explains the eight basic commands needed to enable basic firewall functionality on a Cisco ASA Security Appliance.

Copyright (c) 2008 Don R. Crawley

There are literally thousands of commands and sub-commands available to configure a Cisco security appliance. As you boost awareness of the appliance, you testament utilize expanded and and of the commands. Initially, however, there are dependable a infrequent commands required to configure basic functionality on the appliance. Basic functionality is defined as allowing inside hosts to access absent hosts, however not allowing out hosts to access the inside hosts. Additionally, government must be allowed from at least one inside host. Here are eight basic commands:

**interface**

The interface order identifies either the hardware interface or the VLAN interface that will be configured. Once in interface configuration mode, you can advertise physical interfaces to switchports and enable them (turn them on) or you can display names and security levels to VLAN interfaces.

**nameif**

The nameif command gives the interface a appellation and assigns a security level. Common names are outside, inside, or DMZ.

**security-level**

Security levels are used by the appliance to domination traffic flow. Traffic is permitted to flow from interfaces with higher security levels to interfaces with lower security levels, on the contrary not the other way. Access-lists must be used to agree traffic to flow from lower security levels to higher security levels. Security levels span from 0 to 100. The default security aligned for an gone interface is 0. For an inside interface, the default security flat is 100.

In the later example configuration, the interface command is basic used to compellation the inside and elsewhere VLAN interfaces, then the DMZ interface is named and a security equivalent of 50 is assigned to it.

ciscoasa(config)# interface vlan1

ciscoasa(config-if)# nameif inside

INFO: Security exact for "inside" locate to 100 by default.

ciscoasa(config-if)# interface vlan2

ciscoasa(config-if)# nameif outside

INFO: Security equable for "outside" fix to 0 by default.

ciscoasa(config-if)#interface vlan3

ciscoasa(config-if)# nameif dmz

ciscoasa(config-if)# security-level 50

**ip address**

The ip superscription command assigns an IP inscription to a VLAN interface either statically or by manufacture it a DHCP client. With latest versions of security appliance software, it is not compulsory to explicitly configure default subnet masks. Provided you are using non-standard masks, you must explicitly configure the mask, on the other hand otherwise, it's not necessary.

In the next standard configuration, an IP location is assigned to VLAN 1, the inside interface.

ciscoasa(config-if)# interface vlan 1

ciscoasa(config-if)# ip label 192.168.1.1

**switchport access**

The switchport access command on the ASA 5505 security appliance assigns a physical interface to a logical (VLAN) interface. In the adjoining example, the interface command is used to determine physical interfaces, publish them to switchports on the appliance, and enable them (turn them on) concluded the apply of the "no shutdown" statement.

ciscoasa(config-if)# interface ethernet 0/0

ciscoasa(config-if)# switchport access vlan 2

ciscoasa(config-if)# no shutdown

ciscoasa(config-if)# interface ethernet 0/1

ciscoasa(config-if)# switchport access vlan 1

ciscoasa(config-if)# no shutdown

**nat**

The nat command enables network domicile translation on the specified interface for the specified subnet.

In this sample, configuration, NAT is enabled on the inside interface for hosts on the 192.168.1.0/24 subnet. The digit "1" is the NAT I.D. which will be used by the global command to associate a global residence or pool with the inside addresses. (Note: NAT 0 is used to prevent the specified aggregation of addresses from growth translated.)

ciscoasa(config)# nat (inside) 1 192.168.1.0 255.255.255.0

**global**

The global command works in tandem with the nat command. It identifies the interface (usually outside) wrapped up which traffic from nat'ed hosts (usually inside hosts) must flow. It further identifies the global lodging which nat'ed hosts will convenience to connect to the away world.

In the adjacent sample, the hosts associated with NAT I.D. 1 will call the global directions 12.3.4.5 on the outside interface.

ciscoasa(config)# global (outside) 1 12.3.4.5

In this more action of the bag of the "global" command, the interface statement tells the firewall that hosts associated with NAT I.D. 1 will exercise the DHCP-assigned global direction on the outside interface.

ciscoasa(config)# global (outside) 1 interface

**route**

The route command, in its most basic form, assigns a default route for traffic, typically to an ISP's router. It can further be used in conjunction with access-lists to dispatch particular types of traffic to specific hosts on specific subnets.

In this exemplification configuration, the route command is used to configure a default route to the ISP's router at 12.3.4.6. The two zeroes before the ISP's router address are shorthand for an IP address of 0.0.0.0 and a mask of 0.0.0.0. The statement outside identifies the interface wound up which traffic will flow to stretch the default route.

ciscoasa(config-if)# route outside 0 0 12.3.4.6

The above commands produce a perfect basic firewall, nevertheless frankly, using a sophisticated slogan such as a Cisco PIX or ASA security appliance to perform such basic firewall functions is overkill. Other commands to cause consist of hostname to make the firewall, telnet or SSH to remit remote administration, DHCPD commands to acquiesce the firewall to announce IP addresses to inside hosts , and static route and access-list commands to let on internal hosts such as DMZ Net servers or DMZ send servers to be accessible to Internet hosts.

Source: Free Articles from ArticlesFactory.com