HOME

ASA Basics

ASDM

ASDM provides the GUI (Graphical user interface) to configure and manage the ASA. After enabling the ASDM we can use it in two different ways. 1. through accessing in browser. 2. through installing application on desktop. If we want to access through application then we can download it from ASA when first time accessing the ASDM through browser.

Enabling ASDM

1. Check the ASDM bin file into flash (show disk0:) if is not present then upload it.
2. After that tell to ASA which ASDM file will be use.
   ASA1(config)# asdm image disk0:/asdm-731.bin
3. Enable the HTTP. By default it is disabled.
   ASA1(config)# http server enable
   hostname(config)# http server enable 443
   NOTE: Port 443 is the default port for ASDM. If you want to change this port number then you can do it. If you are changing the port number for ASDM then you have to use this port number in your URL when you are accessing the ASDM. Example, if you change the port number to 444, Then enter the following: https://10.1.1.1:444
4. Restrict the access (We should restrict the access. Here I have allowed the full subnet of /24 but in real environment you should use only particular IP addresses for the hosts, from which you want to access the ASDM)
   ASA1(config)# http 192.168.1.0 255.255.255.0 INSIDE
5. Configure the username and password
   ASA(config)#username cisco password cisco privilege 15
6. Now we can access web page from browser or through ASDM-IDM Launcher application
   https://192.168.1.254

Security Level

Security level indicates how we trust an interface , comparing to other interfaces. A interface with high security level is more trusted then a interface which having lower security level. On ASA, we defines each interface with a security level and interface with security level acts like a zone.

By default, ASA not follow the zone concept. Zone is the concept of PALO ALTO and Checkpoint etc.
An interface with a high security level can access an interface with a low security level. But interface with low security level is not allowed to access an interface which is having high security level. If it is required then we can configure ACL for allow the traffic from low security level to higher security level.

But reverse traffic from lower security level to higher security level will be allow. Means, if we are sending a packet from INSIDE (Higher Security Level) to OUTSIDE (Lower Security Level) then reply packet will be allowed automatically. because ASA maintains session / connection table.

By default, Communication between two interfaces of same security level is also not allowed. If it is required then we can allow it using the command
ASA(config)#same-security-traffic permit inter-interface

NOTE: If you are one who is still confused with security level then you can understand it in the way of water flow. Water always can flow from higher place to lower place but it can’t flow from lower place to higher place and same is with ASA security levels.

If we we are giving the name INSIDE to a interface then security level will be set to 100 automatically and if we are giving the name OUTSIDE to a interface then security level will be set to 0 automatically. But we can change it if we want.
Security level can be set between 0 and 100.

Example: Below example is showing that traffic can move from higher security level to lower security level

INSIDE interface configuration
ASA1(config)# interface gi0/0
ASA1(config-if)# nameif INSIDE
INFO: Security level for “INSIDE” set to 100 by default.
ASA1(config-if)# ip address 10.10.10.254 255.255.255.0
ASA1(config-if)# no shutdown
Or
ASA1(config-if)# security-level 100

OUTSIDE interface configuration

ASA1(config)# interface gi0/1
ASA1(config-if)# nameif OUTSIDE
INFO: Security level for “OUTSIDE” set to 0 by default.
ASA1(config-if)# ip address 192.168.0.1 255.255.255.252
ASA1(config-if)# no shutdown
Or
ASA1(config-if)# security-level 0

NOTE: write erase command is used to erase the configuration. ASA doesn’t support erase startup-configuration command.

Factory Default

The factory default configuration is available only for routed firewall mode and single context mode.

ASA(config)# configure factory-default 192.168.1.1 255.255.255.0
Based on the management IP address and mask, the DHCP address
pool size is reduced to 253 from the platform limit 256

WARNING: The boot system configuration will be cleared.
The first image found in disk0:/ will be used to boot the
system on the next reload.
Verify there is a valid image on disk0:/ or the system will
not boot.

Begin to apply factory-default configuration:
Clear all configuration
Executing command: interface management0/0
Executing command: nameif management
INFO: Security level for “management” set to 0 by default.
Executing command: ip address 192.168.1.1 255.255.255.0
Executing command: security-level 100
Executing command: no shutdown
Executing command: exit
Executing command: http server enable
Executing command: http 192.168.1.0 255.255.255.0 management
Executing command: dhcpd address 192.168.1.2-192.168.1.254 management
Executing command: dhcpd enable management
Executing command: logging asdm informational
Factory-default configuration is completed