Tactical Advice

Core Cisco ASA Commands

IT should understand these eight basic commands for using the security appliance.
Core Cisco ASA Commands

There are thousands of commands and subcommands available to configure a Cisco Adaptive Security Appliance, and as you gain knowledge of the appliance, you will find yourself using more and more of these commands. Initially, however, there are only a few commands required to configure basic functionality on the appliance.

Basic functionality is defined as allowing inside hosts to access outside hosts, but not allowing outside hosts to access inside hosts. Additionally, management must be allowed from at least one inside host. Here are eight basic commands to follow:

interface

The interface command identifies either the hardware interface or the virtual local area network (VLAN) interface that will be configured. Once in interface configuration mode, you can assign physical interfaces to switch ports and enable them, or you can assign names and security levels to VLAN interfaces.

nameif

The nameif command gives the interface a name and assigns a security level. Typical names used for interfaces are “outside,” “inside,” or “DMZ” (demilitarized zone).

security level

Security levels are used by the appliance to control traffic flow. Traffic is permitted to flow from interfaces with higher security levels to interfaces with lower security levels, but not the other way around. Access lists must be used to permit traffic to flow from lower security levels to higher security levels, which can range anywhere from zero to 100. The default security level for an outside interface is zero. For an inside interface, the default security level is 100.

In the following sample configuration, the interface command is first used to name the inside and outside VLAN interfaces, followed by naming the DMZ interface. The DMZ interface is assigned a security level of 50.

ciscoasa(config)# interface vlan1
ciscoasa(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ciscoasa(config-if)# interface vlan2
ciscoasa(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
ciscoasa(config-if)#interface vlan3
ciscoasa(config-if)# nameif dmz
ciscoasa(config-if)# security-level 50

ip address

The ip address command assigns an IP address to a VLAN interface, either statically or by making it a Dynamic Host Configuration Protocol (DHCP) client. With modern versions of security appliance software, it is not necessary to explicitly configure default subnet masks. If you are using nonstandard masks, you must explicitly configure the mask; but otherwise, it's not necessary.

In the following sample configuration, an IP address is assigned to VLAN 1, the inside interface.

ciscoasa(config-if)# interface vlan 1
ciscoasa(config-if)# ip address 192.168.1.1

switchport access

The switchport access command on the ASA 5505 security appliance assigns a physical interface to a logical (VLAN) interface. In the next example, the interface command is used to identify physical interfaces, assign them to switch ports on the appliance and enable them through the use of the no shutdown statement.

ciscoasa(config-if)# interface ethernet 0/0
ciscoasa(config-if)# switchport access vlan 2
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# interface ethernet 0/1
ciscoasa(config-if)# switchport access vlan 1
ciscoasa(config-if)# no shutdown

nat

The nat command enables network address translation on the specified interface for the specified subnet.

In this sample configuration, nat is enabled on the inside interface for hosts on the 192.168.1.0/24 subnet. The number 1 is the nat identifier, which will be used by the global command to associate a global address or pool with the inside addresses. (Note: nat 0 is used to prevent the specified group of addresses from being translated.)

ciscoasa(config)# nat (inside) 1 192.168.1.0 255.255.255.0

global

The global command works in tandem with the nat command. It identifies the interface (usually outside) through which traffic from network-address-translated hosts (usually inside hosts) must flow. It also identifies the global address that network-address-translated hosts will use to connect to the outside world.

In the following sample, the hosts associated with nat identifier 1 will use the global address 12.3.4.5 on the outside interface.

ciscoasa(config)# global (outside) 1 12.3.4.5

In this additional example of the use of the global command, the interface statement tells the firewall that hosts associated with nat identifier 1 will use the DHCP-assigned global address on the outside interface.

ciscoasa(config)# global (outside) 1 interface

route

The route command, in its most basic form, assigns a default route for traffic, typically to an Internet service provider's router. It can also be used in conjunction with access lists to send specific types of traffic to specific hosts on specific subnets.

In this sample configuration, the route command is used to configure a default route to the ISP's router at 12.3.4.6. The two zeroes before the ISP's router address are shorthand for an IP address of 0.0.0.0 and a mask of 0.0.0.0. The statement outside identifies the interface through which traffic will flow to reach the default route.

ciscoasa(config-if)# route outside 0 0 12.3.4.6

The above commands create a very basic firewall, but frankly, using a sophisticated device such as a Cisco PIX or ASA security appliance to perform such basic firewall functions would be overkill.

Other commands that may be of use include hostname, to identify the firewall; telnet or SSH, to allow remote administration; DHCPD commands, to allow the firewall to assign IP addresses to inside hosts; and static route and access-list commands to allow internal hosts such as DMZ web servers or DMZ mail servers to be accessible to Internet hosts.

Sign up for our e-newsletter

Security

Three Ways to Integrate Fire... |
Follow these tips to align the devices with log management and incident tracking systems.
Why Cloud Security Is More E... |
Cloud protection services enable companies to keep up with security threats while...
Securing the Internet of Thi... |
As excitement around the connected-device future grows, technology vendors seek ways to...

Storage

The New Backup Utility Proce... |
Just getting used to the Windows 8 workflow? Prepare for a change.
How to Perform Traditional W... |
With previous versions going unused, Microsoft radically reimagined the backup utility in...
5 Easy Ways to Build a Bette... |
While large enterprises have the resources of an entire IT department behind them, these...

Infrastructure Optimization

Why Cloud Security Is More E... |
Cloud protection services enable companies to keep up with security threats while...
Ensure Uptime Is in Your Dat... |
Power and cooling solutions support disaster recovery and create cost savings and...
The Value of Converged Infra... |
Improvements in security, management and efficiency are just a few of the benefits CI can...

Networking

Securing the Internet of Thi... |
As excitement around the connected-device future grows, technology vendors seek ways to...
How to Maximize WAN Bandwidt... |
Understand six common problems that plague wide area networks — and how to address them.
Linksys Makes a Comeback in... |
The networking vendor introduced several new Smart Switch products at Interop this week.

Mobile & Wireless

Now that Office for iPad Is... |
After waiting awhile for Microsoft’s productivity suite to arrive, professionals who use...
Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.
Linksys Makes a Comeback in... |
The networking vendor introduced several new Smart Switch products at Interop this week.

Hardware & Software

New Challenges in Software M... |
IT trends such as cloud, virtualization and BYOD pose serious hurdles for software...
Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.
The Tools That Power Busines... |
Ever-evolving analytic software can greatly improve financial institutions’ decision-...