There are many different firewall options out there, but one of the most prevalent seems to be the Cisco ASA. This post is a basic configuration outline of the general setup of an ASA firewall that has basic connectivity, as well as dynamic and static NAT functions. While there are many different services an ASA can provide, this post centers on an ASA configuration running on the 8.x code version doing only basic functions. This particular setup is on a firewall in routed mode, that is used for NAT/PAT with only an inside and outside interface setup.

The first config settings to enter on an ASA, or most any other Cisco networking devices is the hostname of the device, domain name, and the enable password for logging into privileged exec mode.

config t
hostname LabASA1
domain-name labasa1.yourdomain.com
enable password Secret1

Next is the interface configuration for the ‘inside’ and ‘outside’ interfaces of the firewall. By default the security level of the outside interface of an ASA is set to ‘0’ meaning least secure, while the ‘inside’ interface is set to ‘100’, being most secure. The security levels of the interfaces coincides with the basic operation of the Cisco ASA, which by default allows traffic from a higher security zone to a lower security zone statefully.

config t
interface ethernet 0/0
nameif outside
security-level 0
ip address 10.1.1.2 255.255.255.0
interface ethernet 0/1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0

For the purposes of this post, we will be using the 10.1.1.x subnet as a simulated ‘public’ IP range, and 192.168.1.x as a private IP range. The outside designation corresponds to the public internet side of an ASA firewall, while the inside designation is the connection point to the internal network.

The route outside command is the equivalent of a default quad zero route on a router. The route inside statement is a route that directs traffic destined to the particular private IP range to the inside interface.

config t
route outside 0.0.0.0 0.0.0.0 10.1.1.1 1
route inside 192.168.0.0 255.255.0.0 192.168.1.2 1

To aid in troubleshooting, it’s always a good idea to enable logging, even if it’s only to the buffer

config t
logging enable

After you setup your ASA, you’ll want to set it up to allow remote access using a local user account, as well as restrict access to the specific interfaces you setup for remote management.

The below commands, allow ssh console access to the outside interface from 10.1.1.0/24, and ssh access to the inside interface from 192.168.1.0/24. SSH should only be allowed into your firewall from trusted source.

config t
ssh 10.1.1.0 255.255.255.255 outside
ssh 192.168.1.0 255.255.255.0 inside

The ASA also provides a GUI interface for managing the ASA called the ASDM. To enable the http server for the ASDM feature to work, issue the following command.

config t
http server enable

The following commands are used to restrict http/ASDM access to particular ranges coming into the ASA:

config t
http 192.168.1.0 255.255.0.0 inside

Last, but not least. In order to have a login account to manage the ASA, you must create a local account and password on the ASA with admin privileges. The ASA must also be told to use the local user database for ssh console access:

config t
username administrator password Secret4admin encrypted privilege 15
aaa authentication ssh console LOCAL

Once you have basic IP connectivity, logging setup, and remote access hammered out, the next most basic function of a firewall is to provide NAT/PAT functions to the internally addressed hosts so they can access the internet.

The following statements are to set up dynamic NAT/PAT to the outside interface’s IP address:

config t
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0

If there is a device on the internal network that require the same IP address each time it goes to the internet, a static mapping can be created to NAT a permanent public address to an internal host

config t
static (inside,outside) 10.1.1.5 192.168.1.5 netmask 255.255.255.255

If that host, is a web server for example and needs to be access from the internet from a particular public IP address, you will have to create an access list that explicitly allows access from the internet to the public IP address of the server on that particular port.

Below the access list named ‘world’ allows HTTPS traffic to 10.1.1.5, and is applied using the access group command in global configuration mode.

config t
access-list world extended permit tcp any host 10.1.1.5 eq https
access-group world in interface outside

After entering the configuration above you now have an ASA that has IP addresses defined on interfaces with basic inside and outside security levels defined. Logging, and remote access setup, with an enable secret specified. You also have dynamic and static NAT functions as well as external access to privately addressed devices using NAT.

The last topic to cover in a basic firewall setup is the purpose of service policy, policy map, and class map on the ASA. The function of this is similar to policy based routing on a Cisco router. The Class map identifies traffic types, the policy map specifies what operation to perform on the classified traffic, and the service policy applies the operation and classification rules to a particular interface or globally on the device.

With an ASA the default policy map already has some core features setup out of the box. This list of traffic types tells the ASA to ‘inspect’ these traffic types as it traverses the firewall. The firewall uses this inspection to build a stateful table that ‘remembers’ the traffic that leaves from the inside to outside interfaces, so that it will allow the return path from the outside interface to re-enter the inside interface. Below is a config snippet of a generic policy map and associated commands for various apps that are enabled for inspection.

class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global

There are various options available for adding to the inspect fields of the policy map including pptp, ipsec, icmp and a host of other functions.

Conclusion
The steps covered in this post aid in the setup and briefly describe the basic functions that would be needed in an ASA firewall to provide NAT to an internal network. Look for future posts regarding the configuration and setup of other functions that can be configured on Cisco’s ASA firewalls.