Firewall Management - ASA

1Accessing Firewall

In order to access the Cisco ASA firewall you will need to have a program called Cisco ASDM installed on your computer. This program can be downloaded from the firewall itself by visiting the main IP in a web browser.

Open your preferred web browser and navigate to https://<Firewall IP>, you may see a warning about an invalid SSL certificate, this can be bypassed as by default the ASA will use a self-signed certificate that the web browser won't be able to verify.

Once you bypass the warning you will be presented with the ASM download page:

Click on Install ASDM Launcher and follow the wizard that appears.

Accessing the firewall via ASDM

Once you have downloaded and installed ASDM, run the program and you will be presented with the launcher screen. Fill in the details provided by the support team in the handover email for the firewall to log in.

Device IP address: This will be the main external IP for the firewall

Username: This is normally admin unless it has been changed or any other user set up with permissions to log in
Password: This will be provided in the support ticket

Once you click on OK, ASDM will reach out and log into the firewall, also if there is any pending updates for the ASDM software it will download and install them.

Once the software has logged in the main firewall dashboard will be displayed, and a box will pop up telling you the log in history for the user along with any successful or failed logins. Click on Ok to dismiss this box.

Once the box is dismissed, you can access all the relevant sections and manage the firewall.

2Adding Rules

In order to allow access to the hosts behind the firewall, you need to add access rules.

This can be done on the firewall configuration page and is also done per interface. By default, there are two interfaces: Outside and Inside.

The outside interface is the WAN and is for traffic coming into the firewall from the internet.
The inside interface is the LAN and is for traffic from the LAN to the internet

Adding a Rule

To add a rule, from the firewall dashboard, click on Configuration and then Firewall. This takes you to the access rules page where you can manage or add rules.

Find the interface you are looking to add a rule on and then right-click on the relevant interface name and then add access rule. This will pop up the Add Access Rule form, which allows you to enter the relevant details.

Interface: This can be any interface depending on your needs
Action: Permit or deny the traffic for the rule
Source: This can be any specific network object you have created
User: This is normally blank unless connected to active directory servers
Security Group: This is blank by default unless you have set up security groups
Destination: This is the destination network object for the traffic
Service: This can be set to specific ports or services depending on your requirements
Description: This should be relevant to the purpose of the rule
Enable Logging: This is enabled by default and logs all traffic for the rule
Logging Level: This sets the level of logging for the rule.

Once you are happy with what you have entered, click on OK to add the rule. Once added, you will need to save the configuration by clicking on Save on the main ASDM menu.

3Creating/Managing Network Objects and Groups

In order to make managing the rules on the firewall easier we would recommend setting up Network Objects and Groups. These allow for easier understanding of the rules and management.

How To Set up a Network Object

What is a network object: A network object is an alternate name for a host, they can contain hostnames, IP addresses or even a full subnet in CIDR notation. They make adding rules easier as you can name them to make them easier to identify.

This then means when you are looking at the rules on the firewall you can see at a glance what the rules are set up for, rather than having to investigate further.

From the firewall dashboard, click on Configuration and then Firewall, This will take you to the access rules page, where you can view and edit the access rules on the firewall.

On the right-hand side there is a list of already existing network objects, click on Add and then Network Object, this will bring up a form to fill in some details out to add the network object.

Name: This is the name you set for the object, we recommend making this relevant to the object you are setting, for example: Home IP, WebServer etc.
Type: This depends on your needs, but can either be any of the following:
  Host: This is an individual hostname or IP address
  Range: This is a range of IP addresses in a subnet
  Network: This is a full subnet, for example 10.10.10.0/24
  FQDN: This is the fully qualified domain name for an item you wish to add, for example, test.com
Depending on which of the above you select the next box will be relevant to that either asking for an IP address/Range or subnet or Domain name.
Nat: This dropdown can be used to add NAT rules to the network object if you are looking to have that object available on an external IP.

Once you have clicked on OK, you will then need to click on apply at the bottom of the page, depending on your settings this may go through and apply straight away, or it will pop up a box showing you the command line interface version of what it is going to apply.

If this pops up click on send and it will save the new object. However, this does not save it to the configuration of the firewall, in order to do this you will need to click on Save on the top menu bar of ASDM which will then make the changes permanent. Again this may just go through or will show another pop-up box depending on your settings.

How To Set up a Network Object Group

A network object group is an easier way to apply multiple network objects to a rule rather than having individual rules.

For example: You have 5 web servers you want to open ports 80 and 443 on, rather than creating 5 individual rules for them, you can create a network object group and set up one rule.

To create a network object rule, click on configuration > Firewall and then add to the right-hand menu. this time select the network object group and it will pop up the form to add a new group.

In order to add the group, you need to fill out the form, select what objects you want to be added and then move them over to the right-hand site, if needed you can also create a new network object from this page as well.

Group Name: This is the name you want to give the object group for example webservers
Description: This should be a relevant description of the group objects.
Once you have filled these in, you can click on an object and then on add to move it into the group.

Once you have filled in all of the objects you want in the group, click on ok. Follow the process as above for saving the configuration: Click on Apply at the bottom of ASDM and then Save at the top of the program to save the configuration.

4How to Update Firewall

5Remote Access VPN Set Up

6Setting up NAT

7Site to Site VPN Setup

Firewalls

ASA pfSense

Servers

Plesk CPanel Putty

« Back to Previous Page