[opensource-wg] Teo En Ming's Notes on Basic Configuration of Cisco ASA 5516-X Firewall - Version 1

Subject: Teo En Ming's Notes on Basic Configuration of Cisco ASA 5516-X Firewall - Version 1

Good day from Singapore,

Author: Mr. Turritopsis Dohrnii Teo En Ming
Country: Singapore
Date of Publication: 20 March 2024 Wednesday
Document Version: 1

I have bought this refurbished/second hand/used Cisco ASA 5516-X firewall with FirePOWER Services for SGD$100 at Bukit Panjang Ring Road on 17 Mar 2024 Sunday at about 8.30 PM Singapore Time.

On 19 March 2024 Tuesday, I have completed basic configuration of this firewall.

Configuration Start: 19 March 2024 Tuesday, 9.22 PM

Configuration End: 19 March 2024 Tuesday, 11.33 PM

Below are my notes on configuring the Cisco ASA 5516-X firewall (basic).

Part 1: Factory reset the Cisco ASA 5516-X firewall
===================================================

Reference guide: Clearing, resetting or erasing configuration on Cisco ASA
Link: https://www.linkedin.com/pulse/clearing-resetting-erasing-configuration-cisco-asa-darko-raki%C4%87?utm_source=share&utm_medium=member_android&utm_campaign=share_via

cisco> en
Password: *****

cisco# conf t
cisco(config)#

***************************** NOTICE *****************************

Help to improve the ASA platform by enabling anonymous reporting,
which allows Cisco to securely receive minimal error and health
information from the device. To learn more about this feature,
please visit: http://www.cisco.com/go/smartcall

Would you like to enable anonymous error reporting to help improve
the product? [Y]es, [N]o, [A]sk later: Y

Enabling anonymous reporting.
Adding "call-home reporting anonymous" to running configuration...
Creating trustpoint "_SmartCallHome_ServerCA" and installing certificate...

Trustpoint CA certificate accepted.

Please remember to save your configuration.

cisco(config)# configure factory-default
Based on the inside IP address and mask, the DHCP address
pool size is reduced to 250 from the platform limit 256

WARNING: The boot system configuration will be cleared.
The first image found in disk0:/ will be used to boot the
system on the next reload.
Verify there is a valid image on disk0:/ or the system will
not boot.

Begin to apply factory-default configuration:
Clear all configuration
Executing command: !
Executing command: interface Management1/1
Executing command:  management-only
Executing command:  no nameif
Executing command:  no security-level
Executing command:  no ip address
Executing command:  no shutdown
Executing command:  exit
Executing command: !
Executing command: interface GigabitEthernet1/1
Executing command:  nameif outside
INFO: Security level for "outside" set to 0 by default.
Executing command:  security-level 0
Executing command:  ip address dhcp setroute
Executing command:  no shutdown
Executing command:  exit
Executing command: !
Executing command: interface GigabitEthernet1/2
Executing command:  nameif inside
INFO: Security level for "inside" set to 100 by default.
Executing command:  security-level 100
Executing command: ip address 192.168.1.1 255.255.255.0
Executing command:  no shutdown
Executing command:  exit
Executing command: !
Executing command: object network obj_any
Executing command: subnet 0.0.0.0 0.0.0.0
Executing command: nat (any,outside) dynamic interface
Executing command: exit
Executing command: !
Executing command: http server enable
Executing command: http 192.168.1.0 255.255.255.0 inside
Executing command: !
Executing command: dhcpd auto_config outside
Executing command: dhcpd address 192.168.1.5-192.168.1.254 inside
Executing command: dhcpd enable inside
Executing command: !
Executing command: logging asdm informational
Executing command: !
Executing command: !
Executing command: !
Factory-default configuration is completed

ciscoasa(config)# reload
System config has been modified. Save? [Y]es/[N]o:  y
Cryptochecksum: 200435a9 cee9c848 4fb5e91d ac201631

3250 bytes copied in 0.150 secs
Proceed with reload? [confirm]
ciscoasa(config)#


***
*** --- START GRACEFUL SHUTDOWN ---
Shutting down isakmp
Shutting down webvpn
Shutting down sw-module
Shutting down License Controller
Shutting down File system



***
*** --- SHUTDOWN NOW ---
Process shutdown finished
Rebooting... (status 0x9)
..
INIT: Sending processes the TERM signal
Deconfiguring network interfaces... done.
Sending all processes the TERM signal...
Sending all processes the KILL signal...
Deactivating swap...
Unmounting local filesystems...
Rebooting...


Part 2: Basic Configuration of Cisco ASA 5516-X Firewall
=========================================================

Reference guide: Basic Cisco ASA 5506-x Configuration Example
Link: https://www.speaknetworks.com/basic-cisco-asa-5506-x-configuration-example/

ciscoasa> en
Password:
ciscoasa#

ciscoasa# show bootvar

BOOT variable =
Current BOOT variable =
CONFIG_FILE variable =
Current CONFIG_FILE variable =

Step 1: Configure ASA interfaces and assign appropriate security levels
===========================================================================

ciscoasa# conf t

ciscoasa(config)# interface GigabitEthernet1/1
ciscoasa(config-if)# description to WAN
ciscoasa(config-if)# nameif outside
ciscoasa(config-if)# security-level 0
ciscoasa(config-if)# ip address dhcp setroute
ciscoasa(config-if)# exit

ciscoasa(config)# interface GigabitEthernet1/2
ciscoasa(config-if)# description to LAN
ciscoasa(config-if)# nameif inside
ciscoasa(config-if)# security-level 100
ciscoasa(config-if)# ip address 192.168.1.1 255.255.255.0
ciscoasa(config-if)# exit

ciscoasa(config)# interface GigabitEthernet1/3
ciscoasa(config-if)# description to DMZ1
ciscoasa(config-if)# nameif dmz1
ciscoasa(config-if)# security-level 50
ciscoasa(config-if)# ip address 192.168.2.1 255.255.255.0
ciscoasa(config-if)# exit

Step 2: Configure ASA as an Internet gateway, enable Internet access
========================================================================

Configure NAT rules.

ciscoasa(config)# nat (inside,outside) after-auto source dynamic any interface
ciscoasa(config)# nat (dmz1,outside) after-auto source dynamic any interface

Allow ping requests to go out.

ciscoasa(config)# policy-map global_policy
ciscoasa(config-pmap)# class inspection_default
ciscoasa(config-pmap-c)# inspect icmp
ciscoasa(config-pmap-c)# exit
ciscoasa(config-pmap)# exit

Step 3: Configure static NAT to web servers, grant Internet inbound access to web servers
===========================================================================================

I will skip this step because I am not planning to have any public facing web servers at home at the moment.

Step 4: Configure DHCP service on the ASA
============================================

Configure DHCP server for LAN network.

ciscoasa(config)# dhcpd address 192.168.1.2-192.168.1.254 inside
ciscoasa(config)# dhcpd dns 8.8.8.8 8.8.4.4
ciscoasa(config)# dhcpd lease 3600
ciscoasa(config)# dhcpd ping_timeout 50
ciscoasa(config)# dhcpd enable inside
ciscoasa(config)# dhcprelay timeout 60

Configure DHCP Server for DMZ network.

ciscoasa(config)# dhcpd address 192.168.2.2-192.168.2.254 dmz1
ciscoasa(config)# dhcpd enable dmz1

ciscoasa(config)# exit

(Optional) Step 5: Redirect traffic to the FirePOWER module for deeper level inspection
========================================================================================

I don't think I have any FirePOWER feature license, so I will skip this step for the moment.

Step 6: Hardening the device
===============================

Shutdown unused interfaces.

ciscoasa(config)# interface GigabitEthernet1/4
ciscoasa(config-if)# shutdown
ciscoasa(config-if)# interface GigabitEthernet1/5
ciscoasa(config-if)# shutdown
ciscoasa(config-if)# interface GigabitEthernet1/6
ciscoasa(config-if)# shutdown
ciscoasa(config-if)# interface GigabitEthernet1/7
ciscoasa(config-if)# shutdown
ciscoasa(config-if)# interface GigabitEthernet1/8
ciscoasa(config-if)# shutdown
ciscoasa(config-if)# exit

Enable SSH access for admin.

ciscoasa(config)# hostname ASA5516X
ASA5516X(config)# crypto key generate rsa modulus 1024 (change to 4096 in future)
WARNING: You have a RSA keypair already defined named <Default-RSA-Key>.

Do you really want to replace them? [yes/no]: yes
Keypair generation process begin. Please wait...



Hosts from the internet are not allowed to ssh into the firewall.

LAN users are allowed to ssh into the firewall.
ASA5516X(config)# ssh 192.168.1.0 255.255.255.0 inside

DMZ users are not allowed to ssh into the firewall.

ASA5516X(config)# ssh timeout 30
ASA5516X(config)# ssh version 2
ASA5516X(config)# aaa authentication ssh console LOCAL
WARNING: local database is empty! Use 'username' command to define local users.

Step 7: Configure time and enable logging
===========================================

I didn't set the time or timezone correctly. Will fix it in the future.

ASA5516X(config)# clock set 22:37:00 Mar 19 2024
ASA5516X(config)# clock timezone GMT +8
ASA5516X(config)# logging enable
ASA5516X(config)# logging timestamp
ASA5516X(config)# logging buffer-size 512000
ASA5516X(config)# logging buffered debugging

Part 3: Create LOCAL users for SSH
==================================

Reference guide: Cisco ASA Firewall Management Interface Configuration (with Example)
Link: https://www.networkstraining.com/using-the-management-interface-of-the-cisco-asa-firewall/

ASA5516X(config)# username cisco password cisco privilege 15

Part 4: Enable ASA Web Interface
=================================

Reference guide: How do I perform a basic setup of Cisco ASA 5516-X firewall?
Link: https://community.cisco.com/t5/network-security/how-do-i-perform-a-basic-setup-of-cisco-asa-5516-x-firewall/m-p/5041698#M1109965

ASA5516X(config)# http server enable
ASA5516X(config)# http 192.168.1.0 255.255.255.0 inside
ASA5516X(config)# enable password cisco level 15

Hosts from the internet are not allowed to access the ASA web interface.
Hosts from the DMZ are not allowed to access the ASA web interface.

Part 5: Saving the Firewall Configuration
==========================================

ASA5516X(config)# write mem
Building configuration...
Cryptochecksum: 5857f4ec 34234f34 4cec64f6 f85d7cd4

7180 bytes copied in 0.150 secs
[OK]


ASA5516X(config)# write mem
Building configuration...
Cryptochecksum: 5857f4ec 34234f34 4cec64f6 f85d7cd4

7180 bytes copied in 0.150 secs
[OK]


Part 6: show run output
=======================

ASA5516X# show run
: Saved

:
: Serial Number: JAD****00ZZ
: Hardware:   ASA5516, 8192 MB RAM, CPU Atom C2000 series 2416 MHz, 1 CPU (8 cores)
:
ASA Version 9.7(1)4
!
hostname ASA5516X
enable password $sha512$5000$LuFgFhttGYuAEdvYbB7Y9g==$M2/7xYvePzQsOAQNrQsxTg== pbkdf2
names

!
interface GigabitEthernet1/1
 description to WAN
 nameif outside
 security-level 0
 ip address dhcp setroute
!
interface GigabitEthernet1/2
 description to LAN
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet1/3
 description to DMZ1
 nameif dmz1
 security-level 50
 ip address 192.168.2.1 255.255.255.0
!
interface GigabitEthernet1/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/6
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/7
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/8
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management1/1
 management-only
 no nameif
 no security-level
 no ip address
!
ftp mode passive
clock timezone GMT 8
object network obj_any
 subnet 0.0.0.0 0.0.0.0
pager lines 24
logging enable
logging timestamp
logging buffer-size 512000
logging buffered debugging
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz1 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
!
object network obj_any
 nat (any,outside) dynamic interface
!
nat (inside,outside) after-auto source dynamic any interface
nat (dmz1,outside) after-auto source dynamic any interface
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint _SmartCallHome_ServerCA
 no validation-usage
 crl configure
crypto ca trustpool policy
crypto ca certificate chain _SmartCallHome_ServerCA
 certificate ca 18dad19e267de8bb4a2158cdcc6b3b4a
    308204d3 308203bb a0030201 02021018 dad19e26 7de8bb4a 2158cdcc 6b3b4a30
    0d06092a 864886f7 0d010105 05003081 ca310b30 09060355 04061302 55533117
    30150603 55040a13 0e566572 69536967 6e2c2049 6e632e31 1f301d06 0355040b
    13165665 72695369 676e2054 72757374 204e6574 776f726b 313a3038 06035504
    0b133128 63292032 30303620 56657269 5369676e 2c20496e 632e202d 20466f72
    20617574 686f7269 7a656420 75736520 6f6e6c79 31453043 06035504 03133c56
    65726953 69676e20 436c6173 73203320 5075626c 69632050 72696d61 72792043
    65727469 66696361 74696f6e 20417574 686f7269 7479202d 20473530 1e170d30
    36313130 38303030 3030305a 170d3336 30373136 32333539 35395a30 81ca310b
    30090603 55040613 02555331 17301506 0355040a 130e5665 72695369 676e2c20
    496e632e 311f301d 06035504 0b131656 65726953 69676e20 54727573 74204e65
    74776f72 6b313a30 38060355 040b1331 28632920 32303036 20566572 69536967
    6e2c2049 6e632e20 2d20466f 72206175 74686f72 697a6564 20757365 206f6e6c
    79314530 43060355 0403133c 56657269 5369676e 20436c61 73732033 20507562
    6c696320 5072696d 61727920 43657274 69666963 6174696f 6e204175 74686f72
    69747920 2d204735 30820122 300d0609 2a864886 f70d0101 01050003 82010f00
    3082010a 02820101 00af2408 08297a35 9e600caa e74b3b4e dc7cbc3c 451cbb2b
    e0fe2902 f95708a3 64851527 f5f1adc8 31895d22 e82aaaa6 42b38ff8 b955b7b1
    b74bb3fe 8f7e0757 ecef43db 66621561 cf600da4 d8def8e0 c362083d 5413eb49
    ca595485 26e52b8f 1b9febf5 a191c233 49d84363 6a524bd2 8fe87051 4dd18969
    7bc770f6 b3dc1274 db7b5d4b 56d396bf 1577a1b0 f4a225f2 af1c9267 18e5f406
    04ef90b9 e400e4dd 3ab519ff 02baf43c eee08beb 378becf4 d7acf2f6 f03dafdd
    75913319 1d1c40cb 74241921 93d914fe ac2a52c7 8fd50449 e48d6347 883c6983
    cbfe47bd 2b7e4fc5 95ae0e9d d4d143c0 6773e314 087ee53f 9f73b833 0acf5d3f
    3487968a ee53e825 15020301 0001a381 b23081af 300f0603 551d1301 01ff0405
    30030101 ff300e06 03551d0f 0101ff04 04030201 06306d06 082b0601 05050701
    0c046130 5fa15da0 5b305930 57305516 09696d61 67652f67 69663021 301f3007
    06052b0e 03021a04 148fe5d3 1a86ac8d 8e6bc3cf 806ad448 182c7b19 2e302516
    23687474 703a2f2f 6c6f676f 2e766572 69736967 6e2e636f 6d2f7673 6c6f676f
    2e676966 301d0603 551d0e04 1604147f d365a7c2 ddecbbf0 3009f343 39fa02af
    33313330 0d06092a 864886f7 0d010105 05000382 01010093 244a305f 62cfd81a
    982f3dea dc992dbd 77f6a579 2238ecc4 a7a07812 ad620e45 7064c5e7 97662d98
    097e5faf d6cc2865 f201aa08 1a47def9 f97c925a 0869200d d93e6d6e 3c0d6ed8
    e6069140 18b9f8c1 eddfdb41 aae09620 c9cd6415 3881c994 eea28429 0b136f8e
    db0cdd25 02dba48b 1944d241 7a05694a 584f60ca 7e826a0b 02aa2517 39b5db7f
    e784652a 958abd86 de5e8116 832d10cc defda882 2a6d281f 0d0bc4e5 e71a2619
    e1f4116f 10b595fc e7420532 dbce9d51 5e28b69e 85d35bef a57d4540 728eb70e
    6b0e06fb 33354871 b89d278b c4655f0d 86769c44 7af6955c f65d3208 33a454b6
    183f685c f2424a85 3854835f d1e82cf2 ac11d6a8 ed636a
  quit
telnet timeout 5
ssh stricthostkeycheck
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 30
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd dns 8.8.8.8 8.8.4.4
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.254 inside
dhcpd enable inside
!
dhcpd address 192.168.2.2-192.168.2.254 dmz1
dhcpd enable dmz1
!
dhcprelay timeout 60
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
username cisco password $sha512$5000$G5B9+ZfYxXVvcUPZ67ndpg==$SzTisL+GxQG2Nr/K7hh9gA== pbkdf2 privilege 15
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
Cryptochecksum:2cf585656729bff783f7247b760f1d15
: end


Part 7: Corrective Steps for DMZ network
========================================

ASA5516X(config)# interface GigabitEthernet1/3
ASA5516X(config-if)# no shut
ASA5516X(config-if)# exit
ASA5516X(config)# write mem
Building configuration...
Cryptochecksum: 2cf58565 6729bff7 83f7247b 760f1d15

7170 bytes copied in 0.150 secs
[OK]

That's all.

Regards,

Mr. Turritopsis Dohrnii Teo En Ming
Targeted Individual in Singapore
Blogs:
https://tdtemcerts.blogspot.com
https://tdtemcerts.wordpress.com