help configuring cisco 5520 asa firewall

D

Destonomos

[H]ard|Gawd
Joined
Jul 13, 2004
Messages
1,027
HELP! My work knew I had a ccna and are expecting me to know how to configure a cisco asa 5520 firewall. I brought the device home tonight and minus the fact that I don't have the female to male adapter to even be able to console in to the damn thing I'm having 0 luck. Also, the fact that I have 0 experience with asa firewalls I feeling like this will never get done.

What I need to accomplish:

upgrade asa firewall to newest firmware

-and-

block all traffic in and out except for predefined public addresses that will be behind the firewall and to allow port 5060 and rtp ports (voip setup).

I also need a rule to allow traffic in from specific IP addresses (voip backbone provider)



Since I have 0 experience with this device and my work is expecting that I know how to do it and have this damn thing configured yesterday, so there is a sense of urgency.


I know hardforum users are badass at stuff like this and thought I'd reach out and see if I could get some help. What do I need to download to upload the firmware, and what are some examples of what I need to do to accomplish what I wrote above?

Thanks in advance guys. Websites, pointing me in the correct direction would be nice as well.
 
if it helps to give an idea of what I'm trying to achieve (because it is very simple)

I need to update the firmware on this 5520 asa firewall first

then I need to set up rules that will do the following with the setup I have

I have a blade server behind this firewall and that is it as far as+topology goes. In the blade I have 4 blades, each with public IP addresses. I need to allow those IP addresses to talk through the firewall on specificly defined ports.

On those same ports I need to only allow incoming traffic again from 2 public IP addresses and only allow traffic on the same ports. That is all.
 
If you don't have a console cable, how are we supposed to help? Also, why not explain to your boss that ASAs are outside your expertise and you will need to engage TAC or a consultant?
 
I agree with Vito.

You need a console cable. Once you have that, you can set the IP address on a port and then upgrade the firmware and the asdm on it. Since you haven't setup an ASA before, I would suggest doing this first and getting access to ASDM, that will help you visually setup the device.

I would also tell you that you need to also contact TAC for assistance in configuration of this device. Based on the model number, the expense for that appliance was a decent amount; surely you guys bought a Smartnet warranty for it.
 
I have to be honest here and say, even a CCNA should know how to do everything you listed in your OP
 
If you're configuring the primary firewall of your company and you have no experience with configuring them, stay the hell away from it. You'll cause more harm than good and any manager that puts you into a position such as this has no business being a manager. There's more at stake miss-configuring a firewall.

my $0.02
 
QHalo said:
If you're configuring the primary firewall of your company and you have no experience with configuring them, stay the hell away from it. You'll cause more harm than good and any manager that puts you into a position such as this has no business being a manager. There's more at stake miss-configuring a firewall.

my $0.02
Click to expand...
+1

just tell them honestly that you dont feel comfortable with the task and if they really want you to take this on ask for training and/or a firewall to test with, books and lots of time. The ASA can get really deep, really quickly.
 
ok so aside from what I said in my first two posts I have got into the device. I worked with a cisco reseller that does business with us and I can use him as a tool to help configure the device. We loaded the new asdm and os on the device and I have asdm up and running on the device. I'm logged into it now and I have my outside and inside addresses configured (192.168.1.1 for now on inside) but behind the firewall no nat should be happening because it is going to be a blade server with 3 public IP addresses on them. The interfaces on the firewall are public as well.

What I need is a site that kind of steps through the motions of how to block ALL traffic except for the 3 ip's on the inside to pass through the router on specific IP's and how to only let outside traffic from two IP's come in on specific ports and that is all. All other traffic should be blocked and denied with the exception of accesses through VPN to the firewall.

I think thats reasonably easy to setup, I just need to know where in asdm to go to configure that stuff.

Any help would be appreciated, we are not going to be able to access help through outside besides my one contact and no one else here is even schooled on cisco at all. Personally, I only have a CCNA and I'm used to routers and switches.
 
write the ACL, and apply it to the appropriate int; that part is the same as with routers.


access-list inside_access_in extended deny ip any host 192.168.100.43 log
access-list inside_access_in extended permit ip any any


access-group inside_access_in in interface inside
 
does anyone know how to allow all traffic from specific public IP addresses from outside in on the firewall in asdm. I am having a hard time finding out how to do that. I can do static rules to allow from one server the ports I need to work but once I try and do this for two ip addresses I get an error because it says the rule already exists (i'm guessing because of the port already being attached to another rule).

Any Ideas?

Thanks in advance.
 
Stuff like this is why when I was asked on my interview questions I did not know, I clearly said "I don't know". At least this way they do not expect me to configure a device I am not familiar with, instead they teach me so I can pick it up.

I do want to play with the ASAs though.
 
When he was hired, he may not have been asked about ASA appliances and when they decided to purchased one, he has a CCNA and they may have just assumed he would know something about the device.
 
Give this guy a break, sometimes you are not in the position to say no. At one point you have to just figure it out.

That being said, I've configured them and am no CCNA :)

OP: grab a 5505 off eBay and the book mentioned. Play with it at home. $300 and some time is a drop in the bucket if you've got no sandbox and this is production.
 
O2Flow said:
Give this guy a break, sometimes you are not in the position to say no. At one point you have to just figure it out.
Click to expand...

Yeah, god forbid you have to learn something new on-the-fly at a tech job! :p

Even still, you need to have some lab time and reading under your belt before you are competent enough to deploy that thing in a production environment.
 
Doesn't CCNA focus primarily on fundamentals and routers? I haven't looked at the materials in a few years. A lot of things (heck, most things) on ASA's don't configure anything like routers. The new 8.3 software is starting to move things more closer to router syntax, but even then, it's still a leap.

The stuff that needs to be done here is very basic and fundamental. You can get sample configs on Cisco's site with just a public CCO login, and it's all over the web as well.
 
From the sounds of it, it looks like he's figuring it out. Shit happens and people are forced to learn on the fly in IT. Happens all the time. But there's just some things even I won't touch. Exposure is too high if you fuck it up. If there's any lesson to be learned is know your limits and the risk involved. Whatever.
 
HDClown said:
Doesn't CCNA focus primarily on fundamentals and routers? I haven't looked at the materials in a few years. A lot of things (heck, most things) on ASA's don't configure anything like routers. The new 8.3 software is starting to move things more closer to router syntax, but even then, it's still a leap.

The stuff that needs to be done here is very basic and fundamental. You can get sample configs on Cisco's site with just a public CCO login, and it's all over the web as well.
Click to expand...

I went through CCNA classes in 2000 and i have been able to configure ASA's with no problem at all. They are a little different, but not by that much
 
You must log in or register to reply here.
Back
Top