Introducing the Cisco ASA 5500 Series Firewall Appliance
The
Cisco ASA 5500 series security appliances have been around for quite
some time and are amongst the most popular hardware firewalls available
in the market. Today Firewall.cx
takes a look at how to easily setup a Cisco ASA5500 series firewall to
perform basic functions, more than enough to provide secure &
restricted access to the Internet, securely access and manage the ASA
Firewall and more.
While many consider the Cisco ASA
Firewalls complex and difficult to configure devices, Firewall.cx aims
to break that myth and show how easy you can setup an ASA Firewall to
deliver basic and advanced functionality. We’ve done it with other Cisco
technologies and devices, and we’ll do it again :)
The table below provides a brief comparison between the different ASA5500 series security appliances:
|
Feature |
Cisco ASA 5505 |
Cisco ASA 5510 |
Cisco ASA 5520 |
Cisco ASA 5540 |
Cisco ASA 5550 |
|
Users/Nodes |
10, 50, or unlimited |
Unlimited |
Unlimited |
Unlimited |
Unlimited |
|
Firewall Throughput |
Up to 150 Mbps |
Up to 300 Mbps |
Up to 450 Mbps |
Up to 650 Mbps |
Up to 1.2 Gbps |
|
Maximum Firewall and IPS Throughput |
• Up to 150 Mbps with AIP-SSC-5 |
• Up to 150 Mbps with AIP-SSM-10 • Up to 300 Mbps with AIP-SSM-20 |
• Up to 225 Mbps with AIP-SSM-10 • Up to 375 Mbps with AIP-SSM-20 • Up to 450 Mbps with AIP-SSM-40 |
• Up to 500 Mbps with AIP-SSM-20 • Up to 650 Mbps with AIP-SSM-40 |
Not available |
|
3DES/AES VPN Throughput*** |
Up to 100 Mbps |
Up to 170 Mbps |
Up to 225 Mbps |
Up to 325 Mbps |
Up to 425 Mbps |
|
IPsec VPN Peers |
10; 251 |
250 |
750 |
5000 |
5000 |
|
Premium AnyConnect VPN Peers* (Included/Maximum) |
2/25 |
2/250 |
2/750 |
2/2500 |
2/5000 |
|
Concurrent Connections |
10,000; 25,000* |
50,000; 130,000* |
280,000 |
400,000 |
650,000 |
|
New Connections/Second |
4000 |
9000 |
12,000 |
25,000 |
33,000 |
|
Integrated Network Ports |
8-port Fast Ethernet switch (including 2 PoE ports) |
5 Fast Ethernet ports; 2 Gigabit Ethernet + 3 Fast Ethernet ports* |
4 Gigabit Ethernet, 1 Fast Ethernet |
4 Gigabit Ethernet, 1 Fast Ethernet |
8 Gigabit Ethernet, 4 SFP Fiber, 1 Fast Ethernet |
|
Virtual Interfaces (VLANs) |
3 (no trunking support)/20 (with trunking support)* |
50/100* |
150 |
200 |
400 |
Users can also download the complete technical datasheet for the Cisco ASA 5500 series firewalls by visiting our Cisco Product Datasheet & Guides Download section.
Perhaps one of the most important
points, especially for an engineer with limited experience, is that
configuring the smaller ASA 5505 Firewall does not really differ from
configuring the larger ASA5520 Firewall. The same steps are required to
setup pretty much all ASA 5500 series Firewalls – which is Great News!
The main differences besides the
licenses, which enable or disable features, are the physical interfaces
of each ASA model (mainly between the ASA 5505 and the larger 5510/5520)
and possibly modules that might be installed. In any case, we should
keep in mind that if we are able to configure a small ASA5505 then
configuring the larger models won’t be an issue.
At the time of writing of this article
Firewall.cx came across a Cisco ASA5505, so we decided to put it to good
use for this article, however, do note that all commands and
configuration philosophy is the same across all ASA5500 series security
appliances.
Note: ASA software version 8.3.0
and above use different NAT configuration commands. This article
provides both old style (up to v8.2.5) and new style (v8.3 onwards) NAT
configuration commands.
ASA5500 Series Configuration Check-List
We’ve created a simple configuration
check-list that will help us keep track of the configured services on
our ASA Firewall. Here is the list of items that will be covered in this
article:
- Erase existing configuration
- Configure Hostname, Users, Enable password & Disable Anonymous Reporting
- Configure interface IP addresses or Vlan IP addresses (ASA5505) & Descriptions
- Setup Inside (private) & Outside (public) Interfaces
- Configure default route (default Gateway) & static routes
- Configure Network Address Translation (NAT) for Internal Networks
- Configure ASA DHCP Server
- Configure AAA authentication for local database user authentication
- Enable HTTP Management for inside interface
- Enable SSH & Telnet Management for inside and outside interfaces
- Create, configure and apply TCP/UDP Object-Groups to firewall access lists
- Configuration of access-lists for ICMP packets to the Internet
- Apply Firewall access lists to ‘inside’ and ‘outside’ interfaces
- Configure logging/debugging of events and errors
Note: it is highly advisable to
frequently save the ASA configuration to ensure no work is lost in the
event of a power failure or accident restart.
Saving the configuration can be easily done using the write memory command:
ASA5505(config)# write memory
Building configuration...
Cryptochecksum: c0aee665 598d7cd3 7fbfe1a5 a2d40ab1
3270 bytes copied in 1.520 secs (3270 bytes/sec)
[OK]
Erasing Existing Configuration
This first step is optional as it will
erase the firewall’s configuration. If the firewall has been previously
configured or used it is a good idea to start off with the factory
defaults. If we are not certain, we prefer to wipe it clean and start
from scratch. Once the configuration is deleted we need to force a
reboot, however, take note that it’s important not to
save the system config to ensure the running-config is not copied to the
startup-config otherwise we’ll have to start this process again:
ciscoasa(config)# write erase
Erase configuration in flash memory? [confirm]
[OK]
ciscoasa(config)# reload
System config has been modified. Save? [Y]es/[N]o: N
Proceed with reload? [confirm]
ciscoasa(config)#
***
*** --- START GRACEFUL SHUTDOWN ---
Shutting down isakmp
Shutting down webvpn
Shutting down File system
***
*** --- SHUTDOWN NOW ---
Process shutdown finished
Rebooting.....
Configure Hostname, Users, 'Enable' Password & Disable Anonymous Reporting
Next, we need to configure the Enable password, required for privileged exec mode access, and then user accounts that will have access to the firewall.
The ASA Firewall won’t ask for a username/password when logging in next, however, the default enable password of ‘cisco’, will be required to gain access to privileged mode:
Ciscoasa> enable
Would you like to enable anonymous error reporting to help improve
In the future, if you would like to enable this feature,
At this point we need to note that when starting off with the factory default configuration, as soon as we enter the ‘configure terminal’ command, the system will ask if we would like to enable Cisco’s call-home reporting feature. We declined the offer and continued with our setup:
Password: cisco
ciscoasa# configure terminal
ciscoasa(config)#
***************************** NOTICE *****************************
Help to improve the ASA platform by enabling anonymous reporting,
which allows Cisco to securely receive minimal error and health
information from the device. To learn more about this feature,
please visit: http://www.cisco.com/go/smartcall
Would you like to enable anonymous error reporting to help improve
the product? [Y]es, [N]o, [A]sk later: N
In the future, if you would like to enable this feature,
issue the command "call-home reporting anonymous".
Please remember to save your configuration.
At this point we need to note that when starting off with the factory default configuration, as soon as we enter the ‘configure terminal’ command, the system will ask if we would like to enable Cisco’s call-home reporting feature. We declined the offer and continued with our setup:
ciscoasa(config)# hostname ASA5505
ASA5505(config)# enable password firewall.cx
ASA5505(config)# username admin password s1jw$528ds2 privilege 15
The privilege 15
parameter at the end of the command line ensures the system is aware
that this is an account with full privileges and has access to all
configuration commands including erasing the configuration and files on
the device’s flash disk, such as the operating system.
Configure Interface IP addresses / VLAN IP Addresses & Descriptions
Depending on the ASA appliance we have,
we can configure physical interfaces (inside/outside) with IP addresses,
usually done with ASA5510 and larger models, or create VLANs
(inside/outside) and configure them with IP addresses, usually with the
smaller ASA5505 models.
In many cases network engineers use VLAN
interfaces on the larger ASA5500 models, however, this depends on the
licensing capabilities of the device, existing network setup and more.
In the case of the ASA5505 we must use
VLAN interfaces, which are configured with their appropriate IP
addresses and then (next step) characterised as inside (private) or outside (public) interfaces:
ASA5505(config)# interface vlan 1
ASA5505(config)# description Private-Interface
ASA5505(config-if)# ip address 10.71.0.1 255.255.255.0
ASA5505(config-if)# no shutdown
!
ASA5505(config)# interface vlan 2
ASA5505(config)# description Public-Interface
ASA5505(config-if)# ip address 192.168.3.50 255.255.255.0
ASA5505(config-if)# no shutdown
!
ASA5505(config)# interface ethernet 0/0
ASA5505(config-if)# switchport access vlan 2
ASA5505(config-if)# no shutdown
Alternatively, the Public interface (VLAN2) can be configured to obtain its IP address automatically via DHCP with the following command:
ASA5505(config)# interface vlan 2
The setrouteparameter at the end of the command will
ensure the ASA Firewall sets its default route (gateway) using the
default gateway parameter the DHCP server provides.
ASA5505(config)# description Public-Interface
ASA5505(config-if)# ip address dhcp setroute
ASA5505(config-if)# no shutdown
After configuring VLAN1 & VLAN2 with the appropriate IP addresses, we configured ethernet 0/0
as an access link for VLAN2 so we can use it as a physical public
interface. Out of the 8 total Ethernet interfaces the ASA5505 has, at
least one must be set with the switchport access vlan 2 otherwise there won’t be any physical public interface on the ASA for our frontend router to connect to. Ethernet ports 0/1 to 0/7 must also be configured with the no shutdown
command in order make them operational. All of these ports are, by
default, access links for VLAN1. Provided are the configuration commands
for the first two ethernet interface as the configuration is identical
for all:
ASA5505(config)# interface ethernet 0/1
ASA5505(config-if)# no shutdown
ASA5505(config-if)# interface ethernet 0/2
ASA5505(config-if)# no shutdown
Setup Inside (private) & Outside (public) Interfaces
Next, we must designate the Inside
(private) and Outside (public) interfaces. This step is essential and
will help the ASA Firewall understand which interface is connected to
the trusted (private) and untrusted (public) network:
ASA5505(config)# interface vlan 1
The ASA Firewall will automatically set the security level to 100 for inside interfaces and 0 to outside interfaces.
Traffic can flow from higher security levels to lower (private to
public), but not the other way around (public to private) unless stated
by an access-lists.
ASA5505(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
!
!
ASA5505(config)# interface vlan 2
ASA5505(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
INFO: Security level for "outside" set to 0 by default.
To change the security-level of an interface use the security-level xxx command by substituting xxx with a number from 0 to 100. The higher the number, the higher the security level. DMZ interfaces are usually configured with a security level of 50.
It is extremely important the necessary
caution is taken when selecting and applying the inside/outside
interfaces on any ASA Firewall.
Configure Default Route (default gateway) & Static Routes
The default route configuration command
is necessary for the ASA Firewall to route packets outside the network
via the next hop, usually a router. In case the public interface (VLAN2)
is configured using the ip address dhcp setroute command, configuration of the default gateway is not required.
ASA5505(config)# route outside 0.0.0.0 0.0.0.0 192.168.3.1
At this point, it’s a good idea to try testing the next-hop router and confirm the ASA Firewall can reach it:
ASA5505(config)# ping 192.168.3.1
For networks with multiple internal VLANs, it is necessary to configure
static routes to ensure the ASA Firewall knows how to reach them.
Usually these networks can be reached via a Layer3 switch or an internal
router. For our example, we’ll assume we have two networks:
10.75.0.0/24 & 10.76.0.0/24 which we need to provide Internet access
to. These additional networks are contactable via a Layer3 device with
IP address 10.71.0.100:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA5505(config)# route outside 10.75.0.0 0.0.0.0 10.71.0.100
ASA5505(config)# route outside 10.76.0.0 0.0.0.0 10.71.0.100
ASA5505(config)# route outside 10.76.0.0 0.0.0.0 10.71.0.100
Configure Network Address Translation (NAT) for Internal Networks
This is the last step required to successfully provide Internet access to our internal networks. Network Address Translation is essential to masquerade our internal network using the single IP address our Public interface has been configured with. Network Address Translation, along with all its variations (Static, Dynamic etc), is covered in great depth in our popular Network Address Translation section.
We should note at this point that NAT
configuration has slightly changed with ASA software version 8.3 and
above. We will provide both commands to cover installations with
software version up to v8.2.5 and from v8.3 and above.
The following commands apply to ASA appliances with software version up to 8.2.5:
ASA5505(config)# global (outside) 1 interface
In the above configuration, the ASA Firewall is instructed to NAT all internal networks using the NAT Group 1. The number ‘1’ is used to identify the NAT groups for the NAT process between the inside and outside interfaces.
INFO: outside interface address added to PAT pool
ASA5505(config)# nat (inside) 1 10.71.0.0 255.255.255.0
ASA5505(config)# nat (inside) 1 10.75.0.0 255.255.255.0
ASA5505(config)# nat (inside) 1 10.76.0.0 255.255.255.0
The global (outside) 1 interface command instructs the ASA Firewall to perform NAT using the IP address assigned to the outside interface.
Another method of configuring NAT is
with the use of access lists. In this case, we define the internal IP
addresses to be NAT’ed with the use of access lists:
ASA5505(config)# access-list NAT-ACLs extended permit ip 10.71.0.0 255.255.255.0 any
NAT with the use of access lists provides greater flexibility and
control which IP addresses or networks will use the NAT service.
ASA5505(config)# access-list NAT-ACLs extended permit ip 10.75.0.0 255.255.255.0 any
ASA5505(config)# access-list NAT-ACLs extended permit ip 10.76.0.0 255.255.255.0 any
ASA5505(config)# global (outside) 1 interface
INFO: outside interface address added to PAT pool
ASA5505(config)# nat (inside) 1 access-list NAT-ACLs
With software version 8.3 and newer,
things have changed dramatically and there are no more access lists in
NAT configuration lines.
The new NAT format now utilizes "object
network", "object service" and "object-group network" to define the
parameters of the NAT configuration.
The following commands (software version
8.3 and above) will provide NAT services to our internal networks so
they can access the Internet:
ASA5505(config)# object network network1
ASA5505(config-network-object)# subnet 10.71.0.0 255.255.255.0
ASA5505(config-network-object)# nat (inside,outside) dynamic interface
!
!
ASA5505(config)# object network network2
ASA5505(config-network-object)# subnet 10.75.0.0 255.255.255.0
ASA5505(config-network-object)# nat (inside,outside) dynamic interface
!
!
ASA5505(config)# object network network3
ASA5505(config-network-object)# subnet 10.76.0.0 255.255.255.0
ASA5505(config-network-object)# nat (inside,outside) dynamic interface
Configuring the ASA DHCP Server
The existence of a DHCP server is
necessary in most cases as it helps manage the assignment of IP address
to our internal hosts. The ASA Firewall can be configured to provide
DHCP services to our internal network, a very handy and welcome feature.
Again, there are some limitations with
the DHCP service configuration which vary with the ASA model used. In
our ASA5505, the maximum assigned IP addreses for the DHCP pool was just
128!
Note that the DHCP service can run on
all ASA interfaces so it is necessary to specify which interface the
DHCP configuration parameters are for:
ASA5505(config)# dhcpd address 10.71.0.50-10.71.0.200 inside
Warning, DHCP pool range is limited to 128 addresses, set address range as: 10.71.0.50-10.71.0.177
ASA5505(config)# dhcpd address 10.71.0.50-10.71.0.128 inside
ASA5505(config)# dhcpd dns 8.8.8.8 interface inside
Once configured, the DHCP service will begin working and assigning IP addresses to the clients. The Gateway IP address parameter is automatically provided to client and is not required to be configured on the ASA Firewall appliance.
We can verify the DHCP service is working using the show dhcpd statistics command:
ASA5505(config)# show dhcpd statistics
If required, we can clear the DHCP bindings (assigned IP addresses) using the clear dhcpd bindingcommand.
DHCP UDP Unreachable Errors: 0
DHCP Other UDP Errors: 0
Address pools 1
Automatic bindings 1
Expired bindings 0
Malformed messages 0
Message Received
BOOTREQUEST 0
DHCPDISCOVER 1
DHCPREQUEST 1
DHCPDECLINE 0
DHCPRELEASE 0
DHCPINFORM 1
Configure AAA Authentication for Local Database User Authentication
Configuring AAA authentication is always
a good idea as it instructs the ASA Firewall to use the local user
database for the various services it's running. For example, we can tell
the ASA Firewall to use a radius server for VPN user authentication,
but use its local database for telnet, ssh or HTTP (ASDM) management
access to the Firewall appliance.
As mentioned, our example instructs the ASA Firewall to use its local database:
ASA5505(config)# aaa authentication telnet console LOCAL
ASA5505(config)# aaa authentication http console LOCAL
ASA5505(config)# aaa authentication ssh console LOCAL
Enable HTTP Management for Inside Interface
We now turn to the management settings
of our ASA Firewall to enable and configure HTTP management. This will
allow access to the Firewall’s management via the popular ASDM
management application:
ASA5505(config)# http 10.71.0.0 255.255.255.0 inside
The above commands enable HTTP management on the ASA Firewall only for the network 10.71.0.0/24.
WARNING: http server is not yet enabled to allow ASDM access.
ASA5505(config)# http server enable
Enable SSH & Telnet Management for Inside and Outside Interfaces
Enabling SSH and Telnet access to the
Cisco Firewall is pretty straightforward. While we always recommend the
use of SSH, especially when accessing the Firewall from public IPs,
telnet is also an option, however, we must keep in mind that telnet
management methods do not provide any security as all data (including
username, passwords and configurations) are sent in clear text.
Before enabling SSH, we must generate
RSA key pairs for identity certificates. Telnet does not require any
such step as it does not provide any encryption or security:
ASA5505(config)# crypto key generate rsa modulus 1024
Note that the ASA Firewall appliance will only accept SSH connections
from host 200.200.90.5 arriving on its public interface, while SSH and
telnet connections are permitted from network 10.71.0.0/24 on the
inside interface.
INFO: The name for the keys will be:
Keypair generation process begin. Please wait...
ASA5505(config)# ssh 10.71.0.0 255.255.255.0 inside
ASA5505(config)# ssh 200.200.90.5 255.255.255.255 outside
ASA5505(config)# telnet 10.71.0.0 255.255.255.0 inside
Create, Configure and Apply TCP/UDP Object-Groups
An essential part of any firewall
configure is to define the Internet services our users will have access
to. This is done by either creating a number of lengthy access lists for
each protocol/service and then applying them to the appropriate
interfaces, or utilising the ASA Firewall Object-Groups which are then
applied to the interfaces. Using Object-groups is easy and recommended
as they provide a great deal of flexibility and ease of management.
The logic is simple: Create your
Object-Groups, insert the protocols and services required, and then
reference them in the firewall access -lists. As a last step, we apply
them to the interfaces we need.
Let’s use an example to help visualise
the concept. Our needs require us to create two Object-Groups, one for
TCP and one for UDP services:
ASA5505(config)#object-group service Internet-udp udp
Now we need to reference our two Object-groups using the firewall access
lists. Here we can also define which networks will have access to the
services listed in each Object-group:
ASA5505(config-service)# description UDP Standard Internet Services
ASA5505(config-service)# port-object eq domain
ASA5505(config-service)# port-object eq ntp
ASA5505(config-service)# port-object eq isakmp
ASA5505(config-service)# port-object eq 4500
!
!
ASA5505(config-service)#object-group service Internet-tcp tcp
ASA5505(config-service)# description TCP Standard Internet Services
ASA5505(config-service)# port-object eq www
ASA5505(config-service)# port-object eq https
ASA5505(config-service)# port-object eq smtp
ASA5505(config-service)# port-object eq 465
ASA5505(config-service)# port-object eq pop3
ASA5505(config-service)# port-object eq 995
ASA5505(config-service)# port-object eq ftp
ASA5505(config-service)# port-object eq ftp-data
ASA5505(config-service)# port-object eq domain
ASA5505(config-service)# port-object eq ssh
ASA5505(config-service)# port-object eq telnet
ASA5505(config)# access-list inside-in remark -=[Access Lists For Outgoing Packets from Inside interface]=-
ASA5505(config)# access-list inside-in extended permit udp 10.71.0.0 255.255.255.0 any object-group Internet-udp
ASA5505(config)# access-list inside-in extended permit tcp 10.71.0.0 255.255.255.0 any object-group Internet-tcp
ASA5505(config)# access-list inside-in extended permit tcp 10.75.0.0 255.255.255.0 any object-group Internet-tcp
ASA5505(config)# access-list inside-in extended permit tcp 10.76.0.0 255.255.255.0 any object-group Internet-tcp
Note that the 10.71.0.0/25 network has
access to both Object-groups services, our other networks are restricted
to only the services defined in the TCP Object-group. To understand how
Object-groups help simplify access list management: without them, we
would require 37 access lists commands instead of just 4!
Configuration of Access-Lists for ICMP Packets to the Internet
To complete our access list
configuration we configure our ASA Firewall to allow ICMP echo packets
(ping) to any destination, and their replies (echo-reply):
ASA5505(config)# access-list inside-in extended permit icmp 10.71.0.0 255.255.255.0 any
ASA5505(config)# access-list outside-in remark -=[Access Lists For Incoming Packets on OUTSIDE interface]=-
ASA5505(config)# access-list outside-in extended permit icmp any any echo-reply
Appling Firewall Access-Lists to ‘inside’ and ‘outside’ Interfaces
The last step in configuring our
firewall rules involves applying the two access lists, inside-in &
outside-in, to the appropriate interfaces. Once this step is complete
the firewall rules are in effect immediately:
ASA5505(config)# access-group inside-in in interface inside
ASA5505(config)# access-group outside-in in interface outside
ASA5505(config)# access-group outside-in in interface outside
Configure Logging/Debugging of Events & Errors
This last step in our ASA Firewall
configuration guide will enable logging and debugging so that we can
easily trace events and errors. It is highly recommended to enable
logging because it will certainly help troubleshooting the ASA Firewall
when problems occur.
ASA5505(config)# logging buffered 7
ASA5505(config)# logging buffer-size 30000
ASA5505(config)# logging enable
The commands used above enable log in the debugging level (7) and sets the buffer size in RAM to 30,000 bytes (~30Kbytes).
Issuing the show log command will reveal a number of important logs including any packets that are processed or denied due to access-lists:
ASA5505(config)# show log
Syslog logging: enabled
Facility: 20
Timestamp logging: disabled
Standby logging: disabled
Debug-trace logging: disabled
Console logging: disabled
Monitor logging: disabled
Buffer logging: level debugging, 39925 messages logged
Trap logging: disabled
History logging: disabled
Device ID: disabled
Mail logging: disabled
ASDM logging: disabled
n" [0x0, 0x0]
%ASA-4-106023: Deny tcp src inside:10.71.0.50/54843 dst outside:10.0.0.10/445 by access-group "inside-in" [0x0, 0x0]
%ASA-4-106023: Deny tcp src inside:10.71.0.50/54845 dst outside:10.0.0.10/445 by access-group "inside-in" [0x0, 0x0]
%ASA-4-106023: Deny tcp src inside:10.71.0.50/54844 dst outside:10.0.0.10/445 by access-group "inside-in" [0x0, 0x0]
%ASA-4-106023: Deny tcp src inside:10.71.0.50/54850 dst outside:10.0.0.10/139 by access-group "inside-in" [0x0, 0x0]
%ASA-4-106023: Deny tcp src inside:10.71.0.50/54843 dst outside:10.0.0.10/445 by access-group "inside-in" [0x0, 0x0]
%ASA-4-106023: Deny tcp src inside:10.71.0.50/54845 dst outside:10.0.0.10/445 by access-group "inside-in" [0x0, 0x0]
%ASA-4-106023: Deny tcp src inside:10.71.0.50/54844 dst outside:10.0.0.10/445 by access-group "inside-in" [0x0, 0x0]
%ASA-4-106023: Deny tcp src inside:10.71.0.50/54850 dst outside:10.0.0.10/139 by access-group "inside-in" [0x0, 0x0]
%ASA-4-106023: Deny udp src inside:10.71.0.50/137 dst outside:10.0.0.10/137 by access-group "inside-in" [0x0, 0x0]
%ASA-6-302014: Teardown TCP connection 4718 for outside:173.194.40.49/443 to inside:10.71.0.50/54803 duration 0:02:00 bytes 1554462 TCP FINs
Syslog logging: enabled
Facility: 20
Timestamp logging: disabled
Standby logging: disabled
Debug-trace logging: disabled
Console logging: disabled
Monitor logging: disabled
Buffer logging: level debugging, 39925 messages logged
Trap logging: disabled
History logging: disabled
Device ID: disabled
Mail logging: disabled
ASDM logging: disabled
n" [0x0, 0x0]
%ASA-4-106023: Deny tcp src inside:10.71.0.50/54843 dst outside:10.0.0.10/445 by access-group "inside-in" [0x0, 0x0]
%ASA-4-106023: Deny tcp src inside:10.71.0.50/54845 dst outside:10.0.0.10/445 by access-group "inside-in" [0x0, 0x0]
%ASA-4-106023: Deny tcp src inside:10.71.0.50/54844 dst outside:10.0.0.10/445 by access-group "inside-in" [0x0, 0x0]
%ASA-4-106023: Deny tcp src inside:10.71.0.50/54850 dst outside:10.0.0.10/139 by access-group "inside-in" [0x0, 0x0]
%ASA-4-106023: Deny tcp src inside:10.71.0.50/54843 dst outside:10.0.0.10/445 by access-group "inside-in" [0x0, 0x0]
%ASA-4-106023: Deny tcp src inside:10.71.0.50/54845 dst outside:10.0.0.10/445 by access-group "inside-in" [0x0, 0x0]
%ASA-4-106023: Deny tcp src inside:10.71.0.50/54844 dst outside:10.0.0.10/445 by access-group "inside-in" [0x0, 0x0]
%ASA-4-106023: Deny tcp src inside:10.71.0.50/54850 dst outside:10.0.0.10/139 by access-group "inside-in" [0x0, 0x0]
%ASA-4-106023: Deny udp src inside:10.71.0.50/137 dst outside:10.0.0.10/137 by access-group "inside-in" [0x0, 0x0]
%ASA-6-302014: Teardown TCP connection 4718 for outside:173.194.40.49/443 to inside:10.71.0.50/54803 duration 0:02:00 bytes 1554462 TCP FINs
Conclusion
This article serves as an introduction
configuration guide for the ASA5500 series Firewall appliances. We
covered all necessary commands required to get any ASA5500 Firewall
working and servicing network clients, while also explaining in detail
all commands used during the configuration process.
No comments:
Post a Comment