Computer Network | Basic configuration of adaptive security appliance (ASA)

Prerequisite – Adaptive security appliance (ASA)
Adaptive Security Appliance (ASA) is a Cisco security appliance which combines classic firewall features with VPN, Intrusion Prevention and antivirus capabilities. It has the capability to provide threat defense before the attacks spread into the networks.

As an administrator, we have to ensure protection against unauthorised access to our firewall. We can set login passwords, enable passwords for this. Also, we will discuss about configuring an IP address on ASA interface.

Administrative Configuration –

Bring up the interface and assigning an IP address to ASA.
To configure an IP address on the interface of an ASA, we have to configure 4 things:

  1. Bring up the interface –
    After entering into global interface mode, use the command no shut to bring up the interface.
  2. Assign an IP address to the interface of ASA –
    After bringing up the interface, assign an IP address by the command



    IP address IP_address Subnet_Mask  

    Its the same way by which we assign an IP address to the router’s interface. But the difference is that we can assign an IP address to ASA interface without the subnet mask also.

    IP address IP_address

    Now, if we don’t give a subnet mask, it automatically takes a classful subnet mask.for example if we assign 192.168.1.1 to the ASA interface the it will automatically takes 255.255.255.0 as subnet mask.

  3. Assign a nameif to the ASA interface –
    In ASA, we also assign a name to the interface otherwise the interface will be down. The most common names are INSIDE, OUTSIDE or DMZ. These names are used while applying a policy but has no role for forwarding the traffic.
    We can assign a name to an ASA interface by the command:

    nameif NAME 

    NAME is the name you want to give to an interface.

  4. Assign a security level to the interface –
    Security level is an integer value ranging from 0 to 100. It tells the trustworthiness of an interface i.e which interface is most trusted. 0 means less trusted while 100 means the most trusted.
    If we provide the name INSIDE to an interface, it will automatically provide security level 100 to it and if we provide any other name like OUTSIDE or DMZ, it will assign automatically 0 to it but can be changed manually.
    We can assign security level to an interface by the command:

    Security-level {value} 

    Here is an example where we will provide IP address 192.268.1.1 and subnet mask 255.255.255.0, name as INSIDE and security-level as 100.

    asa(config)#int e0
    asa(config-if)#no shut
    asa(config-if)#ip address 192.168.1.1 255.255.255.0
    asa(config-if)#nameif INSIDE 
    asa(config-if)#security level 100

Giving hostname to ASA –
It is used to set a name to a device stating an identity to a device.It is given by the same command that is used on the router :-

asa(config)#hostname ciscoasa
ciscoasa(config)#

Setting passwords –
As ASA is a security device, by default it will ask for password while we try to enter privilege mode. By default, no password is set therefore by simply clicking enter, we can enter the privilege mode.

enable password –
The enable password is used for securing privilege mode. In routers, this password is shown in clear text in running-configuration but in ASA, this password is encrypted (therefore no enable secret required.) The password is a case-sensitive password of up to 16 alphanumeric and special characters. We can set an enable password by

asa(config)#enable password GeeksforGeeks 

Or by the command



asa(config)#enable passwd GeeksforGeeks 

Where GeeksforGeeks is the password.
If we want to disable this password or set password to default then simply enter the command.

asa(config)#enable password 

login password –
This password is used for taking access of ASA by using Telnet or SSH. By default, the login password is “Cisco”. We can change it by the command

asa(config)#password GeeksforGeeks 
or 
asa(config)#passwd GeeksforGeeks 

Where GeeksforGeeks is the login password.

Using local database for login:
A local database is configured on the device (username and password) so that it can be used for the login purpose. It is configured in the same manner as it is configured on the router. A local database can be configured on the device using the command

asa(config)#username SAURABH password GeeksforGeeks 

Where SAURABH is username and password is GeeksforGeeks.
If we want the ASA to use its local database for its login purpose then we can use the command

asa(config)#aaa authentication serial console LOCAL

Here, note that LOCAL is case-sensitive



My Personal Notes arrow_drop_up

Check out this Author's contributed articles.

If you like GeeksforGeeks and would like to contribute, you can also write an article using contribute.geeksforgeeks.org or mail your article to contribute@geeksforgeeks.org. See your article appearing on the GeeksforGeeks main page and help other Geeks.

Please Improve this article if you find anything incorrect by clicking on the "Improve Article" button below.




Article Tags :
Practice Tags :


Be the First to upvote.


Please write to us at contribute@geeksforgeeks.org to report any issue with the above content.