You are on page 1of 6

Advertisement

NetworkRouter
Enablement

CiscoWirelessLAN
Controller(WLC)Features

ChoosingNetwork
Technologies:Physical
Connection

CiscoAdaptiveSecurityAppliance(ASA)SetupWizard
ByEdwardTetzfromCiscoNetworkingAllinOneForDummies
AfteryouareconnectedtoyourCiscoAdaptiveSecurityAppliance(ASA),youwillhavetodecidewhethertousethestartupwizardorusea
differemtconfigurationmethods.Theintroductionpagewillappearandwhichallowsyoutomakeadecision.BecauseyouneedtohaveJava
installedonyourcomputer,youhavethreechoiceshere:
InstallASDMLauncherandRunCiscoAdaptiveSecurityDeviceManager(ASDM):InstallstheASDMonyourcomputer.Ifthisis
thecomputeryouwillalwaysusetoperformyourmanagement,thismethodmakesthemostsense.
RunASDM:ThisoptionusesJavaWebStarttolaunchtheASDMtooldirectlyfromthecopyinstalledontheASA.Thisisbeneficialif
youarenotatyournormalcomputerbecauseyoudonotinstallanysoftware.
RunStartupWizard:ThisoptionalsousesJavaWebStarttolaunchASDM,withoneexceptionaftertheASDMhaslaunched,the
StartupWizardrunsautomatically.

ToperformthenetworkconfigurationoftheASA,thefollowingprocesswalksyouthroughtheStartupWizard:
1. ClicktheRunStartupWizardbuttonontheintroductionpage.
YoureceiveawarningrelatedtothesecuritysettingsonJava.
2. Ifyouaresurethatyouareconnectedtothecorrectdeviceonthenetworkandnotsomefakedevicetryingtocollectyour
credentials,dismissthewarningmessage.
BecauseyouexpectthismessagefromtheASDM,continuetothewebsite.TheCiscoASDMLauncherdialogboxappears.
3. Ifyouhaveanenablepassword,butnoactualusers,skiptheUsernamefield,fillintheenablepasswordinthePasswordfield,
andclickOK.
Ifyouhavealreadycreatedanadministrativeuser,providetheusernameandpasswordintheappropriatefields.

TheStartingPointpageappears.
4. Selectoneofthefollowing,basedonwhetheryouaresettinguptheASAinitiallyorwhetheryouareusingsetuptochangean
existingASAinstallation:
ModifyExistingConfiguration:Youcanchoosetomodifytheexistingconfiguration.
ResetConfigurationtoFactoryDefaults:Withtheexceptionofthemanagementinterface,modifythedefaultconfiguration.Asitturns
out,alotofsmallnetworksoutthererequireonlysimplechangestotheirconfiguration,andassuch,rerunningtheStartupWizardis
theeasiestwaytomakethesechanges.

5. ClicktheNextbutton.
TheBasicConfigurationpage,appearswithtwooptionalitemswhichyoucanchoosetodo.
6. (Optional)Selectfromthefollowingitems:
ConfiguretheDeviceforTeleworkerUsage:Thisoptionsupportsteleworkersorremoteworkersviaavirtualprivatenetwork(VPN).If
youselectthisoption,youarepresentedwithanextrapageofquestionsfortheEasyVPNRemoteConfigurationneartheendofthe
StartupWizard.
Onthispage,youcanalsotelltheStartupWizardthenameofthefirewalldevice,suchasASAFirewall1,andthedomainnameto
whichthedevicebelongs,suchasedtetz.net.
ChangePrivilegedMode(Enable)Password:Ifyouarenothappywithyourcurrentenablepassword,changeitherebeforeyou
completethisstepoftheStartupWizard.

7. ClicktheNextbutton.
8. Choosevirtuallocalareanetworks(VLANs)fortheOutside,Inside,andoptionally,DMZinterfaces.
Dependingonthenumberofinterfacesyouarelicensedfor,youcanconfigureuptothreeinterfaces.ThebasiclicensefortheASA
allowsyoutohaveonlytwointerfaces.TheInterfaceSelectionpageoftheStartupWizardappears.
TheOutsideVLANfacestheInternet.
TheInsideVLANfacesyourcorporatenetwork.
TheDMZVLANoperatesparalleltoyourcorporatenetwork.TheDemilitarizedZone(DMZ)isanareawhereyoucanplaceservers,
suchasmail,web,orftpservers,thatthepublicatlargeoratleastpeopleoutsideyournetworkneedaccessto.
Foreachoftheseinterfaces,youassignaVLANtothesegmentorchoosenottousetheinterfaceatall.Bydefault,theInsideinterface
isconfiguredforVLAN1,whichyoucanchangeifyouwanthowever,becausethisisthedefaultVLANonyourswitches,youmaynot
wanttochangeit.
ForyourOutsideinterfaceandDMZinterface,youcanchooseanotherVLANorgowiththeoneschosenbydefault.
EnablingtheinsideVLAN,outsideVLAN,andDMZVLANinterfacesdoesnotactuallyassociateanyparticularswitchportstothose
interfaces.Theinterfacesarevirtualandneedtobeassociatedtophysicalinterfacesontheswitch.Thismeansthatanynumberofports
canbeassociatedtoanyoftheseinterfaces.

9. ClicktheNextbutton.
TheSwitchPortAllocationpageappears.
10. AssigntheASAswitchportstothethreeVLANsbyselectingtheportintheAvailablePortsorAllocatedPortspanesand
clickingtheAddorRemovebuttons.
Initially,allyourportsareassociatedwiththeinsideVLAN.Inmostcases,associatethelowestinterface,orEthernet0/0ofanASA5505,
withtheoutsideVLANbecauseyouwilllikelywanttousetheadditionalportsontheinsideofyournetwork.
Also,ontheASA5505,thelasttwoportssupplyPoweroverEthernet(POE)topowerupdevices,suchasphonesoraccesspoints
(APs),whichisyetanotherreasonyouwanttheupperportstobeassociatedwiththeinsidenetwork.
AsyouchooseaswitchportandassociateitwithaVLANorinterface,youarepromptedwithamessagetellingyouthatitmaybe
removedfromanexistingVLAN.BecauseallportsstartoutassociatedwiththeInsideinterface,youseethismessageforallyourport
reassignments.

11. ClicktheNextbutton.
TheInterfaceIPAddressConfigurationpageappears.
12. AssignIPconfigurationforeachofyourIPaddresses.
Foryouroutsideaddress,youcanmanuallyassignanaddress,whichisnotuncommonforbusinessInternetconnections.IfyourInternet
connectionsupportseitherDynamicHostConfigurationProtocol(DHCP)orPointtoPointProtocoloverEthernet(PPPOE),selectthe
appropriateoption.
IfyouuseDHCP,tellyourASAtousethedefaultgatewayitreceivesfromDHCPasthesystemwidedefaultgatewayforthisdevice.If
youchoosenottousethesystemwidedefaultgatewayoption,youneedtoconfigureamanualroutethroughASDMortheroute
outside00<IPaddressofgateway>atthecommandlineinterface(CLI).

13. ClicktheNextbutton.
TheDHCPServerpageappears.Forsmallbusinessesorregionaloffices,theASAmayrepresenttheonlyrealdeviceonthenetwork
otherthanprintersandcomputers.Youmayhavetheselocationssetupwithoutanylocalserversonsite.
14. (Optional)SelecttheEnableDHCPServerontheInsideInterfacecheckboxtohavetheASAactasaDHCPserverforthis
networksegment.
15. (Optional)SelecttheEnableAutoConfigurationfromInterfacecheckboxsothatyoucancopymostofthesesettingsfroman
existinginterface.
EnablingtheAutoConfigurationcheckboxisveryusefulforDomainNameSystem(DNS)andWindowsInternetNameService(WINS)
serveraddressesthatareconstantlybeingusedonallnetworksegmentsandmayallbethesamefortheorganization.
16. Configureorchangeanyofthemissinginformationinthefollowing:
StartingIPAddress:ThefirstaddresstobehandedoutintheDHCPrange.
EndingIPAddress:ThelastaddresstobehandedoutintheDHCPrange.
DNSservers1and2:TheDNSserversthatarehandedouttoDHCPclients.
WINSservers1and2:TheWINSserversthatarehandedouttoDHCPclients.
LeaseLength:TheleaselengthdetermineswhenDHCPclientsarerequiredtorenewtheirleasesontheDHCPsuppliedaddresses.
PingTimeout:ThePingTimeoutsettingisusedbytheDHCPserverbecauseitpingseachaddressthatitisreadytogive,priorto

assigningtheaddress,toverifythattheaddressisnotinuse.ThisreducesthechanceofduplicateIPaddressesbeingcreatedon
thenetwork.
DomainName:ThedomainnameoftheDHCPclientbelongsto.

17. ClicktheNextbutton.
TheAddressTranslation(NAT/PAT)pageappears.
18. SetupNetworkAddressTranslationorPortAddressTranslation.
Choosefromtheavailableaddresstranslationmethods:
UsePortAddressTranslation(PAT):Mostsmalloffices,whichuseonlyonepublicIPaddressontheirInternetconnection,usePAT
ontheirconnection.PATcanuseaspecificaddressorthemainaddressfromtheiroutsideVLANinterfaces.PATallowsanentire
officetoshare(ortranslateto)asingleexternalIPaddressforInternetaccess.
UseNetworkAddressTranslation(NAT):SelectingNATputsonetoonemapping(ortranslation)betweeninternalandexternalIP
addresses,soyoucanspecifyarangeofaddressestouseontheoutsideVLANinterface.
IfyouuseASAinternallyonyournetwork(forexample,toprotectaserversubnet),youmaywanttoselecttheEnableTrafficthrough
theFirewallWithoutAddressTranslationradiobuttonifyouusepublicaddressesonyourinternalnetwork(notlikely)orifyouusethe
ASAasfirewallontheinteriorofyournetwork.

19. ClicktheNextbutton.
TheAdministrativeAccesspageappears.
20. SetwhatsystemsonyournetworkcanconnecttoyourASAtoperformmanagementorconfigurationchanges.
Usethefollowingprocesstoaddnewmanagementinterfaces.IfyouwanttouseASDM,youneedtoselecttheEnableHTTPServerfor
HTTPS/ASDMAccesscheckbox,whereastheEnableASDMHistoryMetricscheckboxsavesusagedataregardingaccessingthe
ASDMinterface.
Inthecommandlinesetup,youonlyhavetheoptiontoASDMconnectionstobemadefromasinglecomputer.Thispageallowsyouto
specifyadditionalsystemsthatcanperformmanagementofyourASAandthetypeofconnectiontheymaketoperformthat
configuration.

Ifyouaddanewmanagementoption,theAddAdministrativeAccessEntrydialogboxappears.Selectyourdesiredoptionstocreatethe
newAdministrativeAccessentry:
1. ChooseHTTP(ASDM),SSH,orTelnetfromtheAccessTypedropdownlist.
2. ChooseInsidefromtheInterfaceNamedropdownlist.
Insideistypicallythemostsecureinterfaceoption,butinsomecases,suchasifyouneedtobeabletoconductremote
administrationovertheOutsideinterface,youshouldbeveryrestrictiveintheaddressfromwhichtheadministrationisperformed.
3. SpecifyeitheraspecificaddressfromwhichadministrationisperformedintheIPAddresstextboxorgiveanetworkrange
definedbyeitheranIPaddressoraNetworkIDfromtheSubnetMaskdropdownlist.
Remember,themorerestrictiveyoucanbewiththisconfiguration,themoresecureyourASAis.
4. ClickOK.
YoureturntotheAdministrativeAccesspage.
Ifyouallowyourfirewalltobeadministeredfromtheoutsideinterface,youleaveyourselfopentopotentiallybeingcompromisedby
someoneyoudonotknow.

21. ClicktheNextbutton.
ThesummarypageoftheconfigurationStartupWizardappears,providingasummaryoftheconfigurationthatyouhaveappliedtothe
system.AlltheseconfigurationchangesarewrittenintotherunningconfigurationontheASA.Aftertheconfigurationchangesaremade,
youseethestandardASAASDMmanagementscreen.Fromthisinterfaceyoucan
Performanyotherconfigurationchanges.
RelaunchtheStartupWizardorotherwizards.
PerformbasicmonitoringoftheASAviathehomepage.
PerformmoredetailedmonitoringoftheASAandconnectionsthatithoststhroughtheMonitoringpages.
Runadditionalmanagementandtroubleshootingtools.
Savethecurrentconfigurationtoflashmemory.

You might also like