ASA Basic Interface Configurations

CCIE Security, , , , , ,

I am off and running – wohoo! For today’s reading, I enjoyed the appropriate sections of the ASA All In One text from Cisco Press.

411n0dLeh1L._SL160_PIsitb-sticker-arrow-dp,TopRight,12,-18_SH30_OU01_AA160_

For lab work – I read the CCNP Security Lab Workbook from ACIT.in. I then created my own lab allowing me to practice a similar set of exercises in GNS3.

images

In this first objective  – we just need to be able to FLY through the basic configurations on an ASA interface. Remember, these interfaces possess names and security levels. Remember also that we are going to ping from the ASA to verify connectivity. We cannot, be default, ping through the ASA.

Here we go:

ciscoasa(config)# hostname ASA1
ASA1(config)# interface gi0
ASA1(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
ASA1(config-if)# ip address 200.1.30.254 255.255.255.0
ASA1(config-if)# no shut
ASA1(config-if)# ping 200.1.30.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 200.1.30.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/18/50 ms
ASA1(config-if)# interface gi1
ASA1(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ASA1(config-if)# ip address 200.1.10.254 255.255.255.0
ASA1(config-if)# no shut
ASA1(config-if)# ping 200.1.10.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 200.1.10.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/20/60 ms
ASA1(config-if)# interface gi2
ASA1(config-if)# nameif DMZ
INFO: Security level for "DMZ" set to 0 by default.
ASA1(config-if)# security-level 50
ASA1(config-if)# ip address 200.1.20.254 255.255.255.0
ASA1(config-if)# no shut
ASA1(config-if)# ping 200.1.20.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 200.1.20.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/16/40 ms
ASA1(config-if)# wr
Building configuration...
Cryptochecksum: d785382c b71ac6aa 74d5b0f8 0a2ef12d

This sure was fun! I guess because it was so easy right?!?! CCNA Security stuff here. Now for a quick review of how the security levels work on the ASA. A device on the INSIDE should be able to Telnet to a device on the OUTSIDE, but the opposite should not be true. Let’s try it:

R1#telnet 200.1.30.3
Trying 200.1.30.3 ... Open

User Access Verification
Password: 
R3>exit
R3#telnet 200.1.10.1
Trying 200.1.10.1 ...
% Connection timed out; remote host not responding

Perfect! The ASA is functioning just as we would suspect. Questions – comments – use the area below!

5 thoughts on “ASA Basic Interface Configurations

  1. Yes right because ASA doesn’t allow lower security level network to come into higher security area …

    So,outside network can not reach inside without ACL but ,inside can go and connect outside world because it has security level 100

    Reply

    1. Yes – excellent! We see the name outside get a 0 security level and inside get a 100. Water cannot flow from a low point to a high point – so access is not permitted from the low number to the high number.

      Reply

    1. You will love it! There is a focus on the GUI – but then they wisely provide the CLI output as well. I am going to stick to the CLI again when configuring the ASA devices in the lab.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *