Prerequisite – Adaptive security appliance (ASA)
Adaptive Security Appliance (ASA) is a Cisco security appliance which combines classic firewall features with VPN, Intrusion Prevention and antivirus capabilities. It has the capability to provide threat defense before the attacks spread into the networks.
As an administrator, we have to ensure protection against unauthorised access to our firewall. We can set login passwords, enable passwords for this. Also, we will discuss about configuring an IP address on ASA interface.
Administrative Configuration –
Bring up the interface and assigning an IP address to ASA.
To configure an IP address on the interface of an ASA, we have to configure 4 things:
- Bring up the interface –
After entering into global interface mode, use the command no shut to bring up the interface.
- Assign an IP address to the interface of ASA –
After bringing up the interface, assign an IP address by the command
IP address IP_address Subnet_Mask
Its the same way by which we assign an IP address to the router’s interface. But the difference is that we can assign an IP address to ASA interface without the subnet mask also.
IP address IP_address
Now, if we don’t give a subnet mask, it automatically takes a classful subnet mask.for example if we assign 192.168.1.1 to the ASA interface the it will automatically takes 255.255.255.0 as subnet mask.
- Assign a nameif to the ASA interface –
In ASA, we also assign a name to the interface otherwise the interface will be down. The most common names are INSIDE, OUTSIDE or DMZ. These names are used while applying a policy but has no role for forwarding the traffic.
We can assign a name to an ASA interface by the command:
NAME is the name you want to give to an interface.
- Assign a security level to the interface –
Security level is an integer value ranging from 0 to 100. It tells the trustworthiness of an interface i.e which interface is most trusted. 0 means less trusted while 100 means the most trusted.
If we provide the name INSIDE to an interface, it will automatically provide security level 100 to it and if we provide any other name like OUTSIDE or DMZ, it will assign automatically 0 to it but can be changed manually.
We can assign security level to an interface by the command:
Here is an example where we will provide IP address 192.268.1.1 and subnet mask 255.255.255.0, name as INSIDE and security-level as 100.
asa(config)#int e0 asa(config-if)#no shut asa(config-if)#ip address 192.168.1.1 255.255.255.0 asa(config-if)#nameif INSIDE asa(config-if)#security level 100
Giving hostname to ASA –
It is used to set a name to a device stating an identity to a device.It is given by the same command that is used on the router :-
asa(config)#hostname ciscoasa ciscoasa(config)#
Setting passwords –
As ASA is a security device, by default it will ask for password while we try to enter privilege mode. By default, no password is set therefore by simply clicking enter, we can enter the privilege mode.
enable password –
The enable password is used for securing privilege mode. In routers, this password is shown in clear text in running-configuration but in ASA, this password is encrypted (therefore no enable secret required.) The password is a case-sensitive password of up to 16 alphanumeric and special characters. We can set an enable password by
asa(config)#enable password GeeksforGeeks
Or by the command
asa(config)#enable passwd GeeksforGeeks
Where GeeksforGeeks is the password.
If we want to disable this password or set password to default then simply enter the command.
login password –
This password is used for taking access of ASA by using Telnet or SSH. By default, the login password is “Cisco”. We can change it by the command
asa(config)#password GeeksforGeeks or asa(config)#passwd GeeksforGeeks
Where GeeksforGeeks is the login password.
Using local database for login:
A local database is configured on the device (username and password) so that it can be used for the login purpose. It is configured in the same manner as it is configured on the router. A local database can be configured on the device using the command
asa(config)#username SAURABH password GeeksforGeeks
Where SAURABH is username and password is GeeksforGeeks.
If we want the ASA to use its local database for its login purpose then we can use the command
asa(config)#aaa authentication serial console LOCAL
Here, note that LOCAL is case-sensitive
Attention reader! Don’t stop learning now. Get hold of all the important CS Theory concepts for SDE interviews with the CS Theory Course at a student-friendly price and become industry ready.