Article Directory :: Computers & Technology Articles

Understanding the Eight Base Commands on a Cisco ASA Security Appliance

Copyright © 2012 Don R. Crawley

Subscribe to Don R. Crawley's RSS feed using any feed reader!

Republish: EasyPublish
Published: 15Apr2008
Word count: 888
Viewed: 11003 time(s)
Bookmark this article using any bookmark manager!
Get Free Content For Your Site

There are literally thousands of commands and sub-commands available to configure a Cisco security appliance. As you gain knowledge of the appliance, you will use more and more of the commands. Initially, however, there are just a few commands required to configure basic functionality on the appliance. Basic functionality is defined as allowing inside hosts to access outside hosts, but not allowing outside hosts to access the inside hosts. Additionally, management must be allowed from at least one inside host. Here are eight basic commands:

**interface**
The interface command identifies either the hardware interface or the VLAN interface that will be configured. Once in interface configuration mode, you can assign physical interfaces to switchports and enable them (turn them on) or you can assign names and security levels to VLAN interfaces.

**nameif**
The nameif command gives the interface a name and assigns a security level. Typical names are outside, inside, or DMZ.

**security-level**
Security levels are used by the appliance to control traffic flow. Traffic is permitted to flow from interfaces with higher security levels to interfaces with lower security levels, but not the other way. Access-lists must be used to permit traffic to flow from lower security levels to higher security levels. Security levels range from 0 to 100. The default security level for an outside interface is 0. For an inside interface, the default security level is 100.

In the following sample configuration, the interface command is first used to name the inside and outside VLAN interfaces, then the DMZ interface is named and a security level of 50 is assigned to it.

ciscoasa(config)# interface vlan1
ciscoasa(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ciscoasa(config-if)# interface vlan2
ciscoasa(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
ciscoasa(config-if)#interface vlan3
ciscoasa(config-if)# nameif dmz
ciscoasa(config-if)# security-level 50

**ip address**
The ip address command assigns an IP address to a VLAN interface either statically or by making it a DHCP client. With modern versions of security appliance software, it is not necessary to explicitly configure default subnet masks. If you are using non-standard masks, you must explicitly configure the mask, but otherwise, it's not necessary.

In the following sample configuration, an IP address is assigned to VLAN 1, the inside interface.

ciscoasa(config-if)# interface vlan 1
ciscoasa(config-if)# ip address 192.168.1.1

**switchport access**
The switchport access command on the ASA 5505 security appliance assigns a physical interface to a logical (VLAN) interface. In the next example, the interface command is used to identify physical interfaces, assign them to switchports on the appliance, and enable them (turn them on) through the use of the "no shutdown" statement.

ciscoasa(config-if)# interface ethernet 0/0
ciscoasa(config-if)# switchport access vlan 2
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# interface ethernet 0/1
ciscoasa(config-if)# switchport access vlan 1
ciscoasa(config-if)# no shutdown

**nat**
The nat command enables network address translation on the specified interface for the specified subnet.

In this sample, configuration, NAT is enabled on the inside interface for hosts on the 192.168.1.0/24 subnet. The number "1" is the NAT I.D. which will be used by the global command to associate a global address or pool with the inside addresses. (Note: NAT 0 is used to prevent the specified group of addresses from being translated.)

ciscoasa(config)# nat (inside) 1 192.168.1.0 255.255.255.0

**global**
The global command works in tandem with the nat command. It identifies the interface (usually outside) through which traffic from nat'ed hosts (usually inside hosts) must flow. It also identifies the global address which nat'ed hosts will use to connect to the outside world.

In the following sample, the hosts associated with NAT I.D. 1 will use the global address 12.3.4.5 on the outside interface.

ciscoasa(config)# global (outside) 1 12.3.4.5

In this additional example of the use of the "global" command, the interface statement tells the firewall that hosts associated with NAT I.D. 1 will use the DHCP-assigned global address on the outside interface.

ciscoasa(config)# global (outside) 1 interface

**route**
The route command, in its most basic form, assigns a default route for traffic, typically to an ISP's router. It can also be used in conjunction with access-lists to send specific types of traffic to specific hosts on specific subnets.

In this sample configuration, the route command is used to configure a default route to the ISP's router at 12.3.4.6. The two zeroes before the ISP's router address are shorthand for an IP address of 0.0.0.0 and a mask of 0.0.0.0. The statement outside identifies the interface through which traffic will flow to reach the default route.

ciscoasa(config-if)# route outside 0 0 12.3.4.6

The above commands create a very basic firewall, but frankly, using a sophisticated device such as a Cisco PIX or ASA security appliance to perform such basic firewall functions is overkill. Other commands to use include hostname to identify the firewall, telnet or SSH to allow remote administration, DHCPD commands to allow the firewall to assign IP addresses to inside hosts, and static route and access-list commands to allow internal hosts such as DMZ Web servers or DMZ mail servers to be accessible to Internet hosts.

Don R. Crawley, CCNA-certified, is president and chief technologist at soundtraining.net, the Seattle training firm specializing in business skills and technical training programs for IT professionals. He works with I.T. pros to enhance their work, lives, and careers. For information about soundtraining.net's training seminars for the Cisco ASA Security Appliance, please click here.

Bookmark this article using any bookmark manager! Subscribe to Don R. Crawley's RSS feed using any feed reader!

EasyPublish™ this article - publishers click here

More articles by Don R. Crawley

Free Report!
Ten Essential Secrets Of Article Marketing ... Grab Your Free
Copy Now:




We respect your privacy.

Need Content?
Regular Top Quality Content for your Blog, Ezine or Website ...
Delivered Direct,
For Free!
Click For Details


Arts & Entertainment
Automotive
Business - General
Computers & Technology
Finance & Investment
Food & Drink
Health & Fitness
Home & Family
Internet Marketing/Online Business
Legal
Pets & Animals
Politics & Government
Reference & Education
Religion & Faith
Self-Improvement/Motivation
Social
Sports & Recreation
Travel & Leisure
Writing & Speaking

More computing articles:

  • Top Cloud Hosting Is The New Choice For Every Business (Hanson Raider)
    Although cloud hosting is a recent phenomenon but all the companies are looking out for best cloud hosting service providers for the amount of benefits it has in store for everybody. The major reason for so many clients being attracted towards cloud hosting of top quality is its cheap cost.

  • Useful Things To Know About Bluehost Hosting (Hanson Raider)
    Before selecting any web hosting provider, there are a number of things you should keep in mind. Firstly, it would be good if you know about the company. Bluehost web hosting is one of the most well celebrated company in the field of web hosting. It is also one of the oldest web hosting companies. In recent times, Bluehost's packages have gone through major changes.

  • Why Shared Hosting Is Perfect For Beginners (Hanson Raider)
    Beginners will find the right hosting when they start looking at different shared hosting reviews of top companies. This allows the beginner to take advantage of lower prices while getting the necesssary hosting for their needs. You can take advantage of discounts from JustHost or another hosting company offering shared hosting if you look in the right places.

  • Where Did I Leave My Web Host (Hanson Raider)
    In this fast paced web surfing world we are left with little to be desired because of all of the many different web sites available to us for research, business, entertainment and even pleasure in some cases. These many varied web sites have become staples in our daily lives and without them most of us would be completely lost.

  • Why Choose Top Green Web Hosting Companies And Not Regular Hosts? (Hanson Raider)
    The concept of green hosting has evolved overtime and an increasing number of people are now opting green web hosts to provide services to their websites. Since there has been an increasing preference of users for green web hosts, there are many top green hosting providers that have emerged overtime.

  • Why HostingMetro.Com Is A Good Choice? (Hanson Raider)
    Hosting services metro is one of the top web hosting services provider for all those individuals and entities trying to enter the online world. The company guarantees 99.9% uptime that very few hosts are offering currently. In order to achieve this milestone the firm has been working very hard along with its team

  • Why Should One Choose Fat Cow Hosting? (Hanson Raider)
    Choosing a web hosting provider becomes a daunting task, considering that there are so many options available in the market today. The competition is tight and with so many companies operating in the market today, one finds it difficult to choose a web hosting company and avail its services for their website. However, the task may become simpler if one only took out the top three companies operating in the web hosting market and chose them.

  • Find Out Why Your Toshiba Laptop Won't Charge The Battery (Lee Matthews)
    Many people have the problem where their Toshiba laptop won't charge the battery. This problem is not exclusive to Toshiba laptops, and most of the common reasons and solutions apply to all laptop brands. This article will help you find the reason ...

We Automatically Distribute Articles
To Thousands Of Publishers And Web Sites:
Submit Article
All content is viewed and used by you at your own risk and we do not warrant the accuracy or reliability of any of the information. The views expressed are those of the individual contributing authors and not necessarily those of this web site, or its owner, Takanomi Limited.
  
Copyright © 2012 Takanomi Ltd. Company no. 5629683. All rights reserved. | Privacy | Legal | Contact Information