• View more of our photos
  • View more of our photos
  • View more of our photos
  • View more of our photos
  • View more of our photos
  • View more of our photos
  • View more of our photos
  • View more of our photos
  • View more of our photos
  • View more of our photos
  • View more of our photos
  • View more of our photos
  • View more of our photos
  • View more of our photos
  • View more of our photos
  • View more of our photos
  • View more of our photos
  • View more of our photos
  • View more of our photos
  • View more of our photos
Cisco PIX/ASA: Basic Configuration Print E-mail
Articles and Blogs - Cisco Encounter
Written by Joel Gacosta   
Friday, 03 April 2009 19:28

On PIX Firewall running OS version 6.3 by the default, the interface Ethernet0 is the WAN port (called outside interface) and interface Ethernet1 is the LAN port (called inside interface). Also by default, the outside security level is 0 (zero) and the inside security level is 100. You can notice all of these on the nameif command.

On ASA or PIX Firewall running OS version 7.0 or later, you can set any interface as either WAN or LAN port. For instance, you could have interface Ethernet0/0 as inside (LAN) and Ethernet0/1 as outside (WAN). Keep in mind that whichever interface you choose as outside or inside, the outside security level is still 0 (zero) and the inside security level is still 100. You will notice all of these once you set specific interface as either outside or inside.

From configuration above, PIX Firewall running OS version 6.3 have similar configuration as ASA or PIX Firewall running OS version 7.0 or later. There are some little differences here and there, but the general concept is the same.

To help you further, there will be specific command lines for PIX Firewall running OS version 6.3 and specific command lines for ASA or PIX Firewall running OS version 7.0 or later. When there is no such specification, it means that the following command lines are applicable to OS version 6.3 and later (of course including OS version 7.0 or later).

Let us say that the following is the IP subnets that you need to put into the PIX Firewall or ASA.

WAN:
Subnet: 23.42.53.0/24 network (or 23.42.53.0 network with subnet mask of 255.255.255.0)
IP address: 23.42.53.24
Default Gateway: 23.42.53.1
DNS: 23.42.52.1

LAN:
Subnet: 10.10.10.0/24 network (or 10.10.10.0 network with subnet mask of 255.255.255.0)
IP address: 10.10.10.1 (as default gateway to your LAN machines that are sitting behind the PIX or ASA)

To configure these info, the general idea is to do the following:

1. Configure the interface IP address and subnet mask
2. Issue speed and duplex setting command to bring up the interfaces. For this illustration, all interfaces are set to auto negotiation
3. Enter the default gateway command
4. Specify the LAN subnet that need WAN access via NAT or PAT
5. Specify the WAN IP address as the NAT/PAT-ed IP address of the LAN subnet
6. Activate the NAT/PAT-ed IP address usage
7. Save the configuration.

Note that to access the WAN or the Internet, the LAN subnet will be NAT/PAT-ed to WAN IP address. In typical Internet gateway environment where you connect the PIX Firewall WAN port to an Internet modem/router and the LAN port to the internal switch; then this NAT/PAT mechanism is required. It is possible to have no NAT/PAT in place on the PIX/ASA, depending on how your network is setup. For the sake of illustration, this FAQ assumes such NAT/PAT on PIX/ASA is required.

 

Configure Interface IP Addresses and subnet mask for WAN

For PIX running version 6.x:

pixfirewall(config)#ip address outside 23.42.53.24 255.255.255.0
pixfirewall(config)#interface ethernet0 auto

For PIX running version 7.x or later:

asa(config)#interface Ethernet0/0
asa(config-if)#nameif outside
asa(config-if)#duplex auto
asa(config-if)#speed auto
asa(config-if)#ip address 23.42.53.24 255.255.255.0
asa(config-if)#no shutdown

Note: on ASA or PIX Firewall running OS version 7.0; the outside interface security-level is automatically set as 0 (zero).

Configure the Interface IP Address for LAN:

For PIX running version 6.x:

pixfirewall(config)#ip address inside 10.10.10.1 255.255.255.0
pixfirewall(config)#interface ethernet1 auto

For PIX running version 7.x or later:

asa(config-if)#interface Ethernet0/1
asa(config-if)#nameif inside
asa(config-if)#duplex auto
asa(config-if)#speed auto
asa(config-if)#ip address 10.10.10.1 255.255.255.0
asa(config-if)#no shutdown

Note: on ASA or PIX Firewall running OS version 7.0; the inside interface security-level is automatically set as 100 (one hundred).



Configure the default gateway, do the following:

pixfirewall(config)#route outside 0.0.0.0 0.0.0.0 23.42.53.1


Allow specific LAN subnet (i.e. 10.10.10.0/24) to have WAN access

pixfirewall(config)#nat (inside) 1 10.10.10.0 255.255.255.0 0 0


Specify the WAN IP address as the NAT/PAT-ed IP address of the LAN subnet

pixfirewall(config)#global (outside) 1 interface

Note: there is a 1 parameter on both nat and global commands. Basically when doing NAT/PAT, this parameter on both nat and global commands must match. If let's say the nat command uses 3, then the global command must use 3 as well to match. In other words, the NAT/PAT process is noted by a pair of both nat and global commands.

 

Activate the NAT/PAT-ed IP address (or to be exact, reset all of the NAT/PAT IP address):

pixfirewall(config)#clear xlate

Keep in mind that in this illustration, it is assumed that you have WAN static IP address scheme in Ethernet environment. When this does not match your situation, please go to the FAQ subsection and find the most suitable environment (PPP, DHCP, etc.).

 

Save the configuration:

pixfirewall(config)#exit
pixfirewall#write terminal

You can also issue following command to save the changes if the PIX or ASA is running OS 6.x or 7.x.

pixfirewall#copy running-config startup-config

Comments (0)
Tags:
 
AddThis Social Bookmark Button

SpotLight

Upcoming Release

Facebook FanBox

Search Websites

Web
Gacosta.Net
Intelletrace
MyEvents-Online