Cisco ASA 5506 Configuration – Step by Step

The ASA 5506-X has a default configuration out-of-the-box. This default configuration has the following characteristics:

  • Internal LAN: 192.168.1.0/24
  • Internal LAN can access the Internet.
  • The WAN (outside) interface (GE1/1) is configured to receive IP address from DHCP.
  • The LAN (inside) interface (GE1/2) has IP address 192.168.1.1
  • DHCP is enabled for providing IP address to internal hosts.

In this section we will describe how to change this default configuration to suit your network topology. We assume that you already have network connectivity (or console connectivity) to the device so that you can start configuring with Command Line Interface (CLI).

This is our network topology for the basic configuration.

basic configuration tutorial asa 5506-x

  • Internal user LAN: 10.1.1.0/24
  • ASA inside IP: 10.1.1.1
  • ASA outside IP (static): 50.1.1.1
  • NAT: Dynamic overload (PAT) using the outside interface.

Step 1: Configure the Internal LAN interface

interface GigabitEthernet1/2
  description LAN
  nameif inside
  security-level 100   <- Security level 100 means it’s the most trusted interface
  ip address 10.1.1.1 255.255.255.0
  no shut

The ASA 5506-X has a default configuration out-of-the-box. This default configuration has the following characteristics:

  • Internal LAN: 192.168.1.0/24
  • Internal LAN can access the Internet.
  • The WAN (outside) interface (GE1/1) is configured to receive IP address from DHCP.
  • The LAN (inside) interface (GE1/2) has IP address 192.168.1.1
  • DHCP is enabled for providing IP address to internal hosts.

Step 2: Configure the Outside WAN interface

interface GigabitEthernet1/1
  description WAN
   nameif outside
   security-level 0  <- Security level 0 means it’s the least trusted interface
   ip address 50.1.1.1 255.255.255.0 <- Assume we have a static public IP from the ISP
   no shut

NOTE:

In case the outside interface will receive IP address dynamically via DHCP use this command:

ip address dhcp setroute

Step 3: Configure PAT using the outside interface

nat (inside,outside) source dynamic any interface  <- For traffic going from inside to outside use dynamic NAT on the interface (source IPs will be replaced by the outside interface IP)

Step 4: Configure default route towards the ISP (assume default gateway is 50.1.1.2)

route outside 0.0.0.0 0.0.0.0 50.1.1.2

OPTIONAL STEPS (But Useful)

Step 5: Assign IP addresses via DHCP to internal hosts

You can configure the ASA to work as DHCP server and assign IP addresses dynamically to internal hosts.

dhcpd address 10.1.1.10-10.1.1.100 inside   <- ASA will assign IPs between 10.1.1.10-100
dhcpd dns 208.67.220.220 208.67.222.222  <- ASA will assign DNS servers (these are the opendns by the way)
dhcpd enable inside

Step 6: Enable SSH access for management

hostname ASA5506
crypto key generate rsa modulus 1024
ssh 10.1.1.5 255.255.255.255 inside   <- Allow SSH access only from inside host 10.1.1.5
aaa authentication ssh console LOCAL <- Enable local authentication for SSH
username admin password [STRONGPASS] privilege 15
enable password Gh4w7$-s39fg#(!

Step 7: Apply useful ACL on outside

I usually apply the following ACL on the outside interface. It has two purposes: First is to allow ICMP reply packets to come back in (when pinging from inside to outside) and second purpose is to log any denied packets hitting the firewall from outside (for alert and security purposes).

access-list OUTSIDE-IN extended permit icmp any any echo-reply
access-list OUTSIDE-IN extended deny ip any any log
access-group OUTSIDE-IN in interface outside

The above concludes the basic configuration of the ASA 5506-X