Cisco ASA Initial Configuration

Image for post
Image for post
  1. Configure the Management Interface

ASAv(config)# interface management 0/0
ASAv(config-if)# nameif MGMT
ASAv(config-if)# security-level 100
ASAv(config-if)# ip address 192.168.100.1 255.255.255.0

2. Configure DHCP Service for Management Interface

ASAv(config)# dhcpd address 192.168.100.100–192.168.100.200 MGMT
ASAv(config)# dhcpd enable MGMT

5. Enable SSH access on inside Interface

To configure SSH access to the device, we must first create a username and password to the local device.

Commands:

ASAv(config)# username admin password cisco123
ASAv(config)# aaa authentication ssh console LOCAL
ASAv(config)# crypto key generate rsa
ASAv(config)# ssh 192.168.100.0 255.255.255.0 MGMT

TEST from the Management PC:

Image for post
Image for post

3. Configure the Inside interface

In order for a Cisco ASA interface to work, three things must be configured, the name of the interface, the security level, and the IP address.

Commands:

ASAv(config)# interface g0/0
ASAv(config-if)# nameif inside

INFO: Security level for “inside” set to 100 by default.

ASAv(config-if)# ip address 192.168.10.1 255.255.255.0
ASAv(config-if)# no shut

4. Configure DHCP Service for Inside Interface

Commands:

ASAv(config)# dhcpd address 192.168.10.100–192.168.10.200 inside
ASAv(config)# dhcpd enable inside

TEST:

From the VPC and Linux machine, set the IP address as DHCP, and as you can see from the image below, we got an IP address within the range that we defined on our dhcp address.

Image for post
Image for post
Image for post
Image for post

6. Configure Outside interface

ASAv(config)# interface g0/1
ASAv(config-if)# nameif outside
ASAv(config-if)# ip address 172.16.32.1 255.255.255.252
ASAv(config-if)# no shut

7. Configure default route

ASAv(config)# route outside 0 0 172.16.32.2

TEST Connectivity from ASA to Router

ASAv(config)# ping 172.16.32.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.32.2, timeout is 2 seconds:
!!!!!

8. Configure Port Address translation for Inside Network

ASAv(config)# object-group network Inside_Network
ASAv(config-network-object-group)# network-object 192.168.10.0 255.255.255.0

ASAv(config)# nat (inside,outside) source dynamic Inside_Network interface

9. Enable ICMP Traffic

Commands:

ASAv(config)# access-list ICMP permit icmp any any
ASAv(config)# access-group ICMP global

Test ICMP Traffic from VPC to Router:

VPCS> ping 172.16.32.2

84 bytes from 172.16.32.2 icmp_seq=1 ttl=255 time=23.759 ms
^C
VPCS>

ASAv(config)# show xlate
1 in use, 11 most used
Flags: D — DNS, e — extended, I — identity, i — dynamic, r — portmap,
s — static, T — twice, N — net-to-net
NAT from outside:0.0.0.0/0 to inside:0.0.0.0/0
flags sIT idle 0:00:53 timeout 0:00:00

ASAv(config)# show xlate
2 in use, 11 most used
Flags: D — DNS, e — extended, I — identity, i — dynamic, r — portmap,
s — static, T — twice, N — net-to-net
NAT from outside:0.0.0.0/0 to inside:0.0.0.0/0
flags sIT idle 0:00:00 timeout 0:00:00

ICMP PAT from inside:192.168.10.100/59162 to outside:172.16.32.1/59162 flags ri idle 0:00:00 timeout 0:00:30

Thank you! If you have learned something kindly give me a clap! :)

Written by

Experienced Network Security Engineer with a demonstrated history of working in the field of IT security industry.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store