HOME

ASA Basics

ASDM

ASDM provides the GUI (Graphical user interface) to configure and manage the ASA. After enabling the ASDM we can use it in two different ways. 1. through accessing in browser. 2. through installing application on desktop. If we want to access through application then we can download it from ASA when first time accessing the ASDM through browser.

Enabling ASDM

  1. Check the ASDM bin file into flash (show disk0:) if is not present then upload it.
  2. After that tell to ASA which ASDM file will be use.
    ASA1(config)# asdm image disk0:/asdm-731.bin
  3. Enable the HTTP. By default it is disabled.
    ASA1(config)# http server enable
    hostname(config)# http server enable 443

    NOTE: Port 443 is the default port for ASDM. If you want to change this port number then you can do it. If you are changing the port number for ASDM then you have to use this port number in your URL when you are accessing the ASDM. Example, if you change the port number to 444, Then enter the following: https://10.1.1.1:444
  4. Restrict the access (We should restrict the access. Here I have allowed the full subnet of /24 but in real environment you should use only particular IP addresses for the hosts, from which you want to access the ASDM)
    ASA1(config)# http 192.168.1.0 255.255.255.0 INSIDE
  5. Configure the username and password
    ASA(config)#username cisco password cisco privilege 15
  6. Now we can access web page from browser or through ASDM-IDM Launcher application
    https://192.168.1.254

Security Level

Security level indicates how we trust an interface , comparing to other interfaces. A interface with high security level is more trusted then a interface which having lower security level. On ASA, we defines each interface with a security level and interface with security level acts like a zone.

By default, ASA not follow the zone concept. Zone is the concept of PALO ALTO and Checkpoint etc.
An interface with a high security level can access an interface with a low security level. But interface with low security level is not allowed to access an interface which is having high security level. If it is required then we can configure ACL for allow the traffic from low security level to higher security level.

But reverse traffic from lower security level to higher security level will be allow. Means, if we are sending a packet from INSIDE (Higher Security Level) to OUTSIDE (Lower Security Level) then reply packet will be allowed automatically. because ASA maintains session / connection table.


By default, Communication between two interfaces of same security level is also not allowed. If it is required then we can allow it using the command
ASA(config)#same-security-traffic permit inter-interface

NOTE: If you are one who is still confused with security level then you can understand it in the way of water flow. Water always can flow from higher place to lower place but it can’t flow from lower place to higher place and same is with ASA security levels.


If we we are giving the name INSIDE to a interface then security level will be set to 100 automatically and if we are giving the name OUTSIDE to a interface then security level will be set to 0 automatically. But we can change it if we want.
Security level can be set between 0 and 100.


Example: Below example is showing that traffic can move from higher security level to lower security level

INSIDE interface configuration
ASA1(config)# interface gi0/0
ASA1(config-if)# nameif INSIDE
INFO: Security level for “INSIDE” set to 100 by default.
ASA1(config-if)# ip address 10.10.10.254 255.255.255.0
ASA1(config-if)# no shutdown
Or
ASA1(config-if)# security-level 100

OUTSIDE interface configuration

ASA1(config)# interface gi0/1
ASA1(config-if)# nameif OUTSIDE
INFO: Security level for “OUTSIDE” set to 0 by default.
ASA1(config-if)# ip address 192.168.0.1 255.255.255.252
ASA1(config-if)# no shutdown
Or
ASA1(config-if)# security-level 0

NOTE: write erase command is used to erase the configuration. ASA doesn’t support erase startup-configuration command.

Factory Default

The factory default configuration is available only for routed firewall mode and single context mode.

ASA(config)# configure factory-default 192.168.1.1 255.255.255.0
Based on the management IP address and mask, the DHCP address
pool size is reduced to 253 from the platform limit 256

WARNING: The boot system configuration will be cleared.
The first image found in disk0:/ will be used to boot the
system on the next reload.
Verify there is a valid image on disk0:/ or the system will
not boot.

Begin to apply factory-default configuration:
Clear all configuration
Executing command: interface management0/0
Executing command: nameif management
INFO: Security level for “management” set to 0 by default.
Executing command: ip address 192.168.1.1 255.255.255.0
Executing command: security-level 100
Executing command: no shutdown
Executing command: exit
Executing command: http server enable
Executing command: http 192.168.1.0 255.255.255.0 management
Executing command: dhcpd address 192.168.1.2-192.168.1.254 management
Executing command: dhcpd enable management
Executing command: logging asdm informational
Factory-default configuration is completed

15 thoughts on “HOME

    1. admin Post author

      Hi Avon, My apologies if you have faced any difficulties. We are just under construction face as well as we are looking for suggestions. so please feel free for share your feedback. It will be helpful for us.

      Regards,
      Admin
      networkrare.com

      Reply
  1. Travisdrype

    good but it will more helpful if you will share articles on new technologies

    Reply
  2. Royal CBD

    Hello my loved one! I want to say that this post is awesome,
    great written and include approximately all vital infos.

    Reply
  3. Royal CBD

    Highly descriptive blog, I enjoyed that bit. Will there be a part 2?

    Reply
  4. JamesAxomy

    please keep sharing on ASA. i know its now legacy but still in demand

    Reply
  5. Janiffer

    I have read this article and if I could I want to suggest you some attention-grabbing things or tips. Perhaps you can write subsequent articles relating to this article. I wish to learn more issues approximately it!

    Reply
  6. sugar daddy

    You cover more useful information than I have seen elsewhere. Please could you share your sourceexperience with us?

    Reply
  7. Lindsay Johnson

    Hi,

    I hope you are doing well.

    I want to contribute a guest post article to your website that may interest your readers.

    Reply

Leave a Reply

Your email address will not be published.