dslreports logo
site
spacer

spacer
 
    All FAQs Site FAQ DSL FAQ Cable Tech About DSL Distance DSL Hurdles »»
spc

spacer




how-to block ads



Suggested prerequisite reading
»Cisco Forum FAQ »Things to expect when setup network for home or small business

Physical Connection

When it is time to configure your network firewall, there are basic steps you need to do regardless equipment brand or model you use. One of those steps is figuring out which would be the PIX Firewall or ASA WAN port and which would be PIX Firewall or ASA LAN port. Once you have all proper cables connected, you will then configure the PIX Firewall or ASA software.

In terms of plugging cables, some Cisco equipments including Cisco PIX Firewall and ASA are not that clear as to which port would be WAN and which would be LAN. To find out which ports are which on your Cisco PIX Firewall or ASA, following preliminary hardware setup should give you ideas. Specifically for Cisco PIX Firewall and ASA configuration, you need to plug in the correct cable to the WAN, LAN, and CONSOLE ports.

Cisco PIX Firewall Hardware Installation Guide

Cisco ASA 5500 Series Hardware Installation Guide

Basic Cisco PIX Firewall/ASA Configuration

Next is the software setup. In software setup, you need to configure the PIX Firewall to have the proper IP connection scheme such as DNS, IP subnets, etc. to make WAN/LAN connection work.

There are alternatives to configure the PIX Firewall and ASA. Some people prefer to use Web-based feature (i.e. SDM or ASDM) since it "seems" easier to use. Keep in mind that SDM/ASDM is not always available on any PIX Firewall or ASA. Even when SDM/ASDM is available, there are some features that require non-SDM/ASDM to configure.

The most straight-forward way to configure the PIX Firewall and ASA is to use CLI (Command Line Interface). With CLI, you can configure the equipment to anything you like from basic configuration to the most advanced one.

You need to have the following items to be able to use CLI.

* Cisco console cable kit (cable and adapters)
* PC or laptop running Windows with HyperTerminal program installed (or running any operating system with terminal simulator software installed)

Do you have Cisco console kit? If no, then you could go to your local computer shop to get one. You could also buy one from ebay. Basically what you need is a RS-232 cable with DB-9 or DB-25 (depends on your computer serial port model) on one end to go to your computer serial port, and RJ-45 on another end to go to the PIX Firewall or ASA CONSOLE port. If your computer does not have serial port and only has USB port, then you might need a DB9-USB or DB25-USB adapter.



Note:

It is preferable to use either DB-9 or DB-25 serial port for console in instead of using USB port. In some cases, using DB9-USB or DB25-USB adapter may not work; depending on the adapter model itself or adapter setting.




When you already have the CONSOLE cable and you have physical access to the CONSOLE port, then this is the 1st step you need to know.

Accessing CONSOLE port:
Cisco PIX Firewall 501
Cisco PIX Firewall 506/506E
Cisco PIX Firewall 515/515E
Cisco ASA 5500

If everything works right, you should get a prompt like this:

pixfirewall>

When you do have such display, it means you are now in CLI. The PIX Firewall or ASA then is ready to receive commands. You can enter the following commands as a start.

pixfirewall>enable

You may be asked to enter a password. If this is the case, you just enter the password. When the PIX Firewall or ASA is brand new or factory default, press ENTER on your keyboard should get you into enable/privilege mode; which shows something like this display

pixfirewall#

If by pressing ENTER you don't get into enable/privilege mode and you don't know the password, then you need to do password recovery. There's a FAQ in this forum on how to do it.

»Cisco Forum FAQ »Password Recovery Procedures - proper BREAK key sending

Notice the prompt change when you pass the password question

pixfirewall#

from > to #.

When you see the # prompt, this means you are in enable/privilege mode. When you are in privilege mode, you can check the PIX Firewall or ASA configuration. To do so, issue following command:

pixfirewall#write terminal

If the PIX or ASA is running OS version 6.x, 7.x, or later then you can also issue following command with the same exact output.

pixfirewall#show running-config

Keep in mind that the output you are about to see might not exactly match to the following. The output basically varies; it highly depends on your PIX or ASA Firewall models and features activated or used. However in general, it should look something like this.

PIX Version 6.3(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
pager lines 24
logging on
no logging timestamp
no logging standby
no logging console
no logging monitor
logging buffered debugging
no logging trap
no logging history
logging facility 20
logging queue 512
interface ethernet0 shutdown
interface ethernet1 shutdown
mtu outside 1500
mtu inside 1500
ip address outside 209.165.200.226 255.255.255.224
ip address inside 10.1.1.1 255.255.255.0
no failover
arp timeout 14400
global (outside) 1 209.165.200.227-209.165.200.254 netmask 255.255.255.224
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 209.165.200.225 1
timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00
timeout rpc 0:10:00 h323 0:05:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
isakmp identity hostname
telnet timeout 5
terminal width 80
Cryptochecksum:adffa2c4ed9043ce3e54e959acacd8d8
: end

Configuration above shows when your PIX Firewall is running OS version 6.3. If your PIX Firewall or ASA is running OS version 7.0 or later, the similar configuration shows as following

hostname asa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
!
interface Ethernet0/0
no nameif
no security-level
shutdown
!
interface Ethernet0/1
no nameif
no security-level
shutdown
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
pager lines 24
logging enable
logging console notifications
logging buffered warnings
logging asdm notifications
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context

On PIX Firewall running OS version 6.x by the default, the interface Ethernet0 is the WAN port (called outside interface) and interface Ethernet1 is the LAN port (called inside interface). Also by default, the outside security level is 0 (zero) and the inside security level is 100. You can notice all of these on the nameif command.

On ASA or PIX Firewall running OS version 7.0 or later by default, none of the interfaces have default security assigned unlike the OS version 6.x. Therefore you need to pick one interface as the Outside (WAN) interface and one interface as the Inside (LAN) interface as minimum requirement.

With OS version 7.0 or later, you can set any interface as either WAN or LAN port. For instance, you could have interface Ethernet0/0 as inside (LAN) and Ethernet0/1 as outside (WAN). Keep in mind that whichever interface you choose as outside or inside, the outside security level is still 0 (zero) and the inside security level is still 100. You will notice all of these once you set specific interface as either outside or inside.

From configuration above, PIX Firewall running OS version 6.3 have similar configuration as ASA or PIX Firewall running OS version 7.0 or later. There are some little differences here and there, but the general concept is the same.

To help you further, there will be specific command lines for PIX Firewall running OS version 6.3 and specific command lines for ASA or PIX Firewall running OS version 7.0 or later. When there is no such specification, it means that the following command lines are applicable to OS version 6.3 and later (of course including OS version 7.0 or later).

Let's moving on. As mentioned, you need to configure the PIX Firewall to have the proper IP connection scheme such as DNS, IP subnets, etc. In order to do that, you have to enter the configuration mode by issuing the following command

pixfirewall#configure terminal

Then you should have the following display.

pixfirewall(config)#

The (config)# prompt indicates that you are in the configuration mode.

Let us say that the following is the IP subnets that you need to put into the PIX Firewall or ASA.

WAN:
Subnet: 23.42.53.0/24 network (or 23.42.53.0 network with subnet mask of 255.255.255.0)
IP address: 23.42.53.24
Default Gateway: 23.42.53.1
DNS: 23.42.52.1

LAN:
Subnet: 10.10.10.0/24 network (or 10.10.10.0 network with subnet mask of 255.255.255.0)
IP address: 10.10.10.1 (as default gateway to your LAN machines that are sitting behind the PIX or ASA)

To configure these info, the general idea is to do the following:

1. Enter the configuration mode (which you already are)
2. Type in the interface IP address and subnet mask
3. Issue speed and duplex setting command to bring up the interfaces. For this illustration, all interfaces are set to auto negotiation
4. Enter the default gateway command
5. Specify the LAN subnet that need WAN access via NAT or PAT
6. Specify the WAN IP address as the NAT/PAT-ed IP address of the LAN subnet
7. Activate the NAT/PAT-ed IP address usage
8. Save the configuration.

Note that to access the WAN or the Internet, the LAN subnet will be NAT/PAT-ed to WAN IP address. In typical Internet gateway environment where you connect the PIX Firewall or ASA WAN port to an Internet modem/router and the LAN port to the internal switch; then this NAT/PAT mechanism is mostly required. It is possible to have no NAT/PAT in place on the PIX/ASA, depending on how your network is setup. For the sake of illustration, this FAQ assumes such NAT/PAT on PIX/ASA is required.

Side Note:
When you are not comfortable with the NAT/PAT concept, check out the following FAQ
»Cisco Forum FAQ »NAT, PAT, Port Forward, Internet and Server Access: Introduction and Practices

Here are the walkthrough configuration steps.

The interface IP address and subnet mask configuration

The WAN interface:

PIX Firewall running OS version 6.3
pixfirewall(config)#ip address outside 23.42.53.24 255.255.255.0
pixfirewall(config)#interface ethernet0 auto

PIX Firewall/ASA running OS version 7.0 or later
asa(config)#interface Ethernet0/0
asa(config-if)#nameif outside
asa(config-if)#duplex auto
asa(config-if)#speed auto
asa(config-if)#ip address 23.42.53.24 255.255.255.0
asa(config-if)#no shutdown

Note that on ASA or PIX Firewall running OS version 7.0; the outside interface security-level is automatically set as 0 (zero).

The LAN interface:

PIX Firewall running OS version 6.3
pixfirewall(config)#ip address inside 10.10.10.1 255.255.255.0
pixfirewall(config)#interface ethernet1 auto

PIX Firewall/ASA running OS version 7.0 or later
asa(config-if)#interface Ethernet0/1
asa(config-if)#nameif inside
asa(config-if)#duplex auto
asa(config-if)#speed auto
asa(config-if)#ip address 10.10.10.1 255.255.255.0
asa(config-if)#no shutdown

Note that on ASA or PIX Firewall running OS version 7.0; the inside interface security-level is automatically set as 100 (one hundred).

For ASA 5505, you may be required to use VLAN Layer-3 interfaces to assign IP addresses since physical Ethernet interfaces can't take IP address directly. When this is the case you can do the following as one way of assigning IP addresses.

1. Pick ASA 5505 Port 1 as WAN port and Port 2 as LAN port
2. Assign Ports 1 and 2 as Layer-2 access port
3. Assign Port 1 as member of VLAN 10. Similarly, assign Port 2 as member of VLAN 11
4. Create Layer-3 VLAN 10 and 11 interfaces
5. Set VLAN 10 interface as Outside (WAN) and set VLAN 11 interface as Inside (LAN)
6. Assign appropriate IP addresses under VLAN 10 and 11 interfaces

Illustration

asa(config-if)#interface Ethernet0/1
asa(config-if)#switchport access vlan 10
asa(config-if)#interface Ethernet0/2
asa(config-if)#switchport access vlan 11
asa(config-if)#interface VLAN10
asa(config-if)#description WAN
asa(config-if)#nameif outside
asa(config-if)#ip address 23.42.53.24 255.255.255.0
asa(config-if)#interface VLAN11
asa(config-if)#description LAN
asa(config-if)#nameif inside
asa(config-if)#ip address 10.10.10.1 255.255.255.0

To configure the default gateway, do the following:

pixfirewall(config)#route outside 0.0.0.0 0.0.0.0 23.42.53.1

When you wish to permit specific LAN subnet (i.e. 10.10.10.0/24) to have WAN access, you can issue the following command.

pixfirewall(config)#nat (inside) 1 10.10.10.0 255.255.255.0 0 0

If you wish to permit all LAN subnets to have WAN access, you can issue the following command.

pixfirewall(config)#nat (inside) 1 0.0.0.0 0.0.0.0 0 0

To specify WAN NAT/PAT-ed IP address of the LAN subnet, similarly you can specify specific IP address; range of IP address; or the WAN interface IP address itself. Let's say for illustration you like to use the WAN interface IP address itself. Then the command is

pixfirewall(config)#global (outside) 1 interface

Note that there is a 1 parameter on both nat and global commands. Basically when doing NAT/PAT, this parameter on both nat and global commands must match. If let's say the nat command uses 3, then the global command must use 3 as well to match. In other words, the NAT/PAT process is noted by a pair of both nat and global commands.

To activate the NAT/PAT-ed IP address (or to be exact, reset all of the NAT/PAT IP address), issue the following command.

pixfirewall(config)#clear xlate

Keep in mind that in this illustration, it is assumed that you have WAN static IP address scheme in Ethernet environment. When this does not match your situation, please go to the FAQ subsection and find the most suitable environment (PPP, DHCP, etc.).

There should be no further necessary step of configuring the PIX Firewall. You then need to exit the configuration mode and save the changes, by doing the following.

pixfirewall(config)#exit
pixfirewall#write memory

You can also issue following command to save the changes if the PIX or ASA is running OS 6.x, 7.x, or later.

pixfirewall#copy running-config startup-config

As to the DNS info, you need to inject it into your LAN machines. You can do it either statically or automatically. When you do it statically, it usually means that you configure the LAN machines to have static IP address. When you do it automatically, it usually means that you configure the LAN machines to have dynamic IP address.

Keep in mind that LAN machine configuration step varies, it highly depends on the operating system (i.e. Windows, Mac, or Linux). In general is that when you configure the LAN machines to have either static or dynamic IP address, go to the machine configuration mode and do it from there.

To explore more features and commands, check out the following FAQ
»Cisco Forum FAQ »Understanding PIX Firewall/ASA

Note:
This FAQ is written with purpose of introducing CLI to novices. This FAQ is not intended as a complete guideline on how to setup a ASA/PIX Firewall to connect to the Internet in specific WAN/LAN environment or setup a used ASA/PIX Firewall with saved configuration file already in place. If you are trying to connect the ASA/PIX Firewall with the rest of your network or trying to connect ASA/PIX Firewall with other network devices, please carefully review how you like the network looks like and how each network device (such as modem, routers, switches, and firewalls) interacts and inter-communicates.

When the ASA/PIX Firewall is going to connect to the Internet provided by an ISP via cable modem, DSL, or T1/E1; please go to other FAQ subsections and find the most suitable environment (PPP, DHCP, static, etc.). If you are not sure how the ASA/PIX Firewall should connect to the ISP, please consult with the ISP since your ISP is the most knowledgeable source concerning their own connection to the customers. You can check out the following FAQ to get better ideas of how to review and discuss technical requirement with ISP support.
»Cisco Forum FAQ »Things to expect when setup network for home or small business

Some FAQ links of firewall configuration in specific WAN/LAN environment
Various PPPoE/PPPoA/DHCP/Static Sample Configuration with Cisco
Router-Firewall Combo
Various Sample Network Design with Routers, Switches, and Firewalls

Guide to ISP consultation in finding out how to connect to the ISP
»Cisco Forum FAQ »Between DHCP, PPP, Dynamic, and Static IP Address

For further info on command descriptions, check out the following
Cisco PIX Firewall Command Reference, Version 6.3
Cisco Security Appliance Command Reference, Version 7.0
Cisco Security Appliance Command Reference, Version 8.0

Cisco link
Configuring ASA and PIX Security Appliances

Still confused?

When you find yourself still confused after reviewing all above links and descriptions, post a question by creating a new thread on Cisco forum in following this guide.
»Cisco Forum FAQ »How do I post in the forum?

Feedback received on this FAQ entry:
  • Thanks for your very clear simple guide to configuring a Cisco PIX/ASA. Need to add that one needs to change the config on the inside interface of the gateway router:-)

    2010-12-10 08:30:20



Expand got feedback?

by aryoba See Profile
last modified: 2013-04-17 12:36:25