I want to cover some of the basics regarding the Cisco ASA. First, the ASA can operate in two modes: Routed/Transparent. Routed mode acts as a L3 bump on the wire, while transparent mode acts as a L2 bump on the wire. See more about Transparent ASAs here: Deploying an ASA in Transparent Mode
In this post I want to cover the following ASA basics:
Configuring different types of interfaces
Enabling ASDM access
Enabling SSH access
To start, here are a few required components when configuring an ASA interface. These are:
Security level = a numeric value in the range of 0 to 100 that allows the ASA control traffic flow
Nameif = required/used to name the interface
Note that default behavior of an ASA is to allow traffic from a higher security level interface to a lower level security interface. Also, in order to allow traffic from lower to higher security levels ACLs must be in place.
A simple configured physical interface looks like the following:
interface GigabitEthernet0/0 nameif outside security-level 0 ip address 10.10.22.2 255.255.255.0
To view configured interfaces you can use the following:
#show interface ip brief #show interface <interface> <detail/ip/stats/summary>
On the ASAs we have the ability to support 802.1q tagging via configuring vlan sub-interfaces:
interface GigabitEthernet0/0.29 vlan 29 nameif inside security-level 100 ip address 10.10.29.2 255.255.255.0
The same rules apply with requirements mentioned above. An important configuration note is that the ASA does not support the Dynamic Trunking Protocol (DTP), so you must configure the connected switch port to trunk unconditionally.
The next type of interface I will cover is the redundant interface. A redundant interface consists of a pair of physical interfaces. Within the pair there is one active and one standby interface. When the one interface fails the other takes over. Note that this is completely separate from device-level failover. You have the ability to configure up to 8 interface pairs. Redundant interface configuration looks like this:
interface Redundant1 member-interface GigabitEthernet0/7 member-interface GigabitEthernet0/8
Note that the paired physical interfaces must be identical type. So for example both 1g interfaces, or both 10g interfaces, etc. Also, if needing to configure a redundant interface in context mode the configuration needs to be performed in system execution space. Lastly, you cannot add a member interface if a nameif already exists on the physical interface. Once the redundant pair is setup you can proceed with configuring additional parameters such as nameif, sec level, etc.
You can use the following to verify redundant interfaces:
#show run interface redundant <#> #show interface redundant <#>
The last type of interface I will cover is configuring an etherchannel port-channel interface. A few important need-to-knows include: all interfaces in the group must be the same media type & must be set to the same speed/duplex, and each group can have up to 16 active interfaces. An example of configuring an etherchannel port-channel interface is as follows:
Assign interfaces to the port-channel:
interface GigabitEthernet0 channel-group 1 mode on no nameif no security-level no ip address ! interface GigabitEthernet1 channel-group 1 mode on no nameif no security-level no ip address
Next you configure the port-channel as desired, an example:
interface Port-channel1.10 vlan 10 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0
Use the following to verify etherchannel interfaces:
#show port-channel summary #show port-channel detail #show run interface port-channel <#>
Now that the different types on interfaces & basic configuration examples of each is concluded I will go over enabling ASDM & SSH access.
There are a few requirements in order for this to work. These configuration requirements include:
ASDM image loaded into flash
Tell ASA what image to use
Enable HTTP server
Tell ASA what network & interface to allow HTTP (ASDM) access on
A brief example is as follows:
aaa authentication http console LOCAL http server enable http 172.16.30.0 255.255.255.0 MGMT asdm image disk0:/asdm-XX.bin username mcifelli password ***** pbkdf2 privilege 15
In the above example I allow the 184.108.40.206/24 HTTP access to the MGMT interface, and specify the authentication type as local via the aaa authentication command.
Lastly, I will cover how to enable SSH on an ASA. The requirements are as follows:
Setup enable password (optional, but recommended)
Configure local username (better to use remote source such as ISE/AD)
Enable AAA & SSH version 2
Generate RSA keypair
Tell ASA what network & interface to allow SSH on
Here is a brief overview of how to enable SSH access to Cisco ASA:
aaa authentication ssh console LOCAL ssh stricthostkeycheck ssh timeout 60 ssh version 2 ssh key-exchange group dh-group14-sha1 ssh 172.16.30.0 255.255.255.0 MGMT
In the above example I allow the 220.127.116.11/24 SSH access to the MGMT interface, and specify the authentication type as local via the aaa authentication command. To generate the keypair use the following command:
crypto key generate rsa modulus 4096
Note to see more about PKI related configs/examples see the pki tag.
And there you have it. Now we have a better grasp on some of the ASA basics regarding interface types, ASDM access, & SSH access. Cheers!