Understanding ASA Basics

I want to cover some of the basics regarding the Cisco ASA. First, the ASA can operate in two modes: Routed/Transparent. Routed mode acts as a L3 bump on the wire, while transparent mode acts as a L2 bump on the wire. See more about Transparent ASAs here: Deploying an ASA in Transparent Mode

In this post I want to cover the following ASA basics:

  • Configuring different types of interfaces

  • Enabling ASDM access

  • Enabling SSH access

To start, here are a few required components when configuring an ASA interface. These are:

  • Security level = a numeric value in the range of 0 to 100 that allows the ASA control traffic flow

  • Nameif = required/used to name the interface

  • IP address

Note that default behavior of an ASA is to allow traffic from a higher security level interface to a lower level security interface. Also, in order to allow traffic from lower to higher security levels ACLs must be in place.

A simple configured physical interface looks like the following:

interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 

To view configured interfaces you can use the following:

#show interface ip brief
#show interface <interface> <detail/ip/stats/summary>

On the ASAs we have the ability to support 802.1q tagging via configuring vlan sub-interfaces:

interface GigabitEthernet0/0.29
 vlan 29
 nameif inside
 security-level 100
 ip address 

The same rules apply with requirements mentioned above. An important configuration note is that the ASA does not support the Dynamic Trunking Protocol (DTP), so you must configure the connected switch port to trunk unconditionally.

The next type of interface I will cover is the redundant interface. A redundant interface consists of a pair of physical interfaces. Within the pair there is one active and one standby interface. When the one interface fails the other takes over. Note that this is completely separate from device-level failover. You have the ability to configure up to 8 interface pairs. Redundant interface configuration looks like this:

interface Redundant1
 member-interface GigabitEthernet0/7
 member-interface GigabitEthernet0/8

Note that the paired physical interfaces must be identical type. So for example both 1g interfaces, or both 10g interfaces, etc. Also, if needing to configure a redundant interface in context mode the configuration needs to be performed in system execution space. Lastly, you cannot add a member interface if a nameif already exists on the physical interface. Once the redundant pair is setup you can proceed with configuring additional parameters such as nameif, sec level, etc.

You can use the following to verify redundant interfaces:

#show run interface redundant <#>
#show interface redundant <#>

The last type of interface I will cover is configuring an etherchannel port-channel interface. A few important need-to-knows include: all interfaces in the group must be the same media type & must be set to the same speed/duplex, and each group can have up to 16 active interfaces. An example of configuring an etherchannel port-channel interface is as follows:

Assign interfaces to the port-channel:

interface GigabitEthernet0
channel-group 1 mode on
no nameif
no security-level
no ip address
interface GigabitEthernet1
channel-group 1 mode on
no nameif
no security-level
no ip address

Next you configure the port-channel as desired, an example:

interface Port-channel1.10
vlan 10
nameif inside
security-level 100
ip address

Use the following to verify etherchannel interfaces:

#show port-channel summary
#show port-channel detail
#show run interface port-channel <#>

Now that the different types on interfaces & basic configuration examples of each is concluded I will go over enabling ASDM & SSH access.

Enabling ASDM:

There are a few requirements in order for this to work. These configuration requirements include:

  • ASDM image loaded into flash

  • Tell ASA what image to use

  • Enable HTTP server

  • Tell ASA what network & interface to allow HTTP (ASDM) access on

A brief example is as follows:

aaa authentication http console LOCAL 
http server enable
http MGMT
asdm image disk0:/asdm-XX.bin
username mcifelli password ***** pbkdf2 privilege 15

In the above example I allow the HTTP access to the MGMT interface, and specify the authentication type as local via the aaa authentication command.

Lastly, I will cover how to enable SSH on an ASA. The requirements are as follows:

  • Setup enable password (optional, but recommended)

  • Configure local username (better to use remote source such as ISE/AD)

  • Enable AAA & SSH version 2

  • Generate RSA keypair

  • Tell ASA what network & interface to allow SSH on

Here is a brief overview of how to enable SSH access to Cisco ASA:

aaa authentication ssh console LOCAL 
ssh stricthostkeycheck
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group14-sha1
ssh MGMT

In the above example I allow the SSH access to the MGMT interface, and specify the authentication type as local via the aaa authentication command. To generate the keypair use the following command:

crypto key generate rsa modulus 4096

Note to see more about PKI related configs/examples see the pki tag.

And there you have it. Now we have a better grasp on some of the ASA basics regarding interface types, ASDM access, & SSH access. Cheers!


Recent Posts

See All

"The What?" - In this blog I want to share some valuable Digital Network Architecture Center (DNAC) tips & tricks that I have collected that are quite useful when needing to troubleshoot/perform some

In this post I want to cover the ESA Email pipeline. The email pipeline represents how emails are processed through the system from start to finish. The pipeline consists of 3 main phases: Receipt:

I recently started pursuing email security studies. Other posts have mentioned this, and a recent post shared a deeper look at SPF. In this blog I want to cover DKIM & DMARC. Starting with DKIM, it