I'm kind of an idiot when it comes to Cisco stuff. I can usually figure out most firewalls and understand netmasks, IP addressing, DMZ's, NAT, etc. But for some reason I just don't get Cisco ASA's. Both CLI and the ASDM.
Long story short, I'm looking for a good site or someone that can provide me a basic config file with comments so I can understand it.
And yes, I have tried RTFM.
Thanks much everyone.
I understand your pain, research and practice are going to be your best friends. Here are some of my bookmarks for dealing with the Cisco devices:
Best of luck!
I'm the guy who wrote the previously mentioned article "8 Basic commands for configuring your Cisco ASA". When Cisco changed the PAT/NAT configuration in the spring of 2010, it made some of those commands obsolete. I've updated the article with a new blog post at http://blog.soundtraining.net/2010/11/understanding-eight-basic-commands-on.html. Hope that helps.
What is it you're trying to do?
I may have access to an ASA, but without knowing what you're trying to achieve, I can't begin to guess at what bits of config may be of relevance
From here:
This article gets back to the basics regarding Cisco ASA firewalls. I’m offering you here a basic configuration tutorial for the Cisco ASA 5510 security appliance. This device is the second model in the ASA series (ASA 5505, 5510, 5520 etc) and is fairly popular since is intended for small to medium enterprises. Like the smallest ASA 5505 model, the 5510 comes with two license options: The Base license and the Security Plus license. The second one (security plus) provides some performance and hardware enhancements over the base license, such as 130,000 Maximum firewall connections (instead of 50,000), 100 Maximum VLANs (instead of 50), Failover Redundancy, etc. Also, the security plus license enables two of the five firewall network ports to work as 10/100/1000 instead of only 10/100.
Next we will see a simple Internet Access scenario which will help us to understand the basic steps needed to setup an ASA 5510. Assume that we are assigned a static public IP address 100.100.100.1 from our ISP. Also, the internal LAN network belongs to subnet 192.168.10.0/24. Interface Ethernet0/0 will be connected to the outside (towards the ISP), and Ethernet0/1 will be connected to the Inside LAN switch. Refer to the diagram below for our example scenario.
alt text http://www.cisco-tips.com/images/asa-5510-basic-configuration.jpg
The firewall will be configured to supply IP addresses dynamically (using DHCP) to the internal hosts. All outbound communication (from inside to outside) will be translated using Port Address Translation (PAT) on the outside public interface. Let’s see a snippet of the required configuration steps for this basic scenario:
Step 1: Configure a privileged level password (enable password)
By default there is no password for accessing the ASA firewall, so the first step before doing anything else is to configure a privileged level password, which will be needed to allow subsequent access to the appliance. Configure this under Configuration Mode:
ASA5510(config)# enable password mysecretpassword
Step 2: Configure the public outside interface
ASA5510(config)# interface Ethernet0/0
ASA5510(config-if)# nameif outside
ASA5510(config-if)# security-level 0
ASA5510(config-if)# ip address 100.100.100.1 255.255.255.252
ASA5510(config-if)# no shut
Step 3: Configure the trusted internal interface
ASA5510(config)# interface Ethernet0/1
ASA5510(config-if)# nameif inside
ASA5510(config-if)# security-level 100
ASA5510(config-if)# ip address 192.168.10.1 255.255.255.0
ASA5510(config-if)# no shut
Step 4: Configure PAT on the outside interface
ASA5510(config)# global (outside) 1 interface
ASA5510(config)# nat (inside) 1 0.0.0.0 0.0.0.0
Step 5: Configure Default Route towards the ISP (assume default gateway is 100.100.100.2)
ASA5510(config)# route outside 0.0.0.0 0.0.0.0 100.100.100.2 1
Step 6: Configure the firewall to assign internal IP and DNS address to hosts using DHCP
ASA5510(config)# dhcpd dns 200.200.200.10
ASA5510(config)# dhcpd address 192.168.10.10-192.168.10.200 inside
ASA5510(config)# dhcpd enable inside
The above basic configuration is just the beginning for making the appliance operational. There are many more configuration features that you need to implement to increase the security of your network, such as Static and Dynamic NAT, Access Control Lists to control traffic flow, DMZ zones, VPN etc. I just tried to offer you a starting point for a basic configuration from where you can build your knowledge further.
You can run cisco asa into two modes router and transparent mode, and GregD tutorial talks about router mode of asa. if you already have a router i recommend you to use the cisco asa in transparent, as a Layer 2 firewall and that acts like a "stealth firewall" also, and it is unnecessary to readdress IP.
In routed mode, some types of traffic cannot pass through the security appliance even if you allow it in an access list. Alternatively, in transparent mode that can allow any traffic through with either an extended access list (for IP traffic) or an EtherType access list (for non-IP traffic).
