search

Cisco ASA Firewall Basic Configuration in Packet Tracer

Nerd Cafe | نرد کافه

hashtag
Understanding the Network Topology

  • In the ASA world, we divide the network into Zones. Each zone is assigned a Security Level from 0 to 100.

  • Inside (Level 100): Your trusted internal network (employees/PCs).

  • DMZ (Level 70): The "Demilitarized Zone." This is a partially trusted area where you keep servers (Web, Email) that outsiders need to access.

  • Outside (Level 0): The untrusted public internet.

circle-info

The Golden Rule: By default, traffic can flow from a Higher level to a Lower level (e.g., Inside to Outside), but traffic from a Lower level to a Higher level is blocked unless you write a specific rule to allow it.

hashtag
IP Address Table

Interface

Zone Name (nameif)

Security Level

IP Address

Description

Et 0/0

inside

100

192.168.100.1

Trusted LAN

Et 0/2

DMZ

70

172.16.10.1

Server Farm

Et 0/1

outside

0

20.20.20.1

Internet Gateway

hashtag
Step-by-Step Configuration with Explanations

hashtag
Step 1: Basic Identity & Security

First, we name the device and set passwords to prevent unauthorized changes.

hashtag
Step 2: Configuring Interfaces

On an ASA, an interface isn't active until it has a Name and a Security Level.

hashtag
Step 3: Automated IP Assignment (DHCP)

To save time, the ASA can automatically give IP addresses to your internal PCs.

hashtag
Step 4: Secure Remote Management (SSH)

Instead of standing next to the firewall with a cable, you can manage it from your PC securely.

  • Use the local 'admin' user we created in Step 1 for SSH login

  • Generate encryption keys so your management session is secret

  • ONLY allow PCs on the 192.168.100.0 network to connect to the 'inside' port

hashtag
Step 5: Access Control Lists (The "Rules")

Since the "Outside" has a security level of 0, it can't talk to anyone. We must create an ACL to permit specific traffic, like allowing people to "Ping" (test) our servers.

  • Create a list named 'DMZ-Rules' that allows ICMP (Ping) to the DMZ servers

  • Create a rule to allow Web Traffic (Port 80)

  • Apply this list to the OUTSIDE interface so it checks incoming traffic

hashtag
Step 6: Network Address Translation (NAT)

Your internal PCs use "Private" IPs (192.168...) that don't work on the public internet. NAT translates them into the ASA's public IP so they can browse the web.

  • Create an 'Object' representing your inside network

  • Tell the ASA: When traffic goes from Inside to Outside, hide it behind the outside IP

hashtag
Step 7: Saving Your Work

Unlike a computer, changes on an ASA are only in "temporary memory." You must save them so they stay after a reboot.

hashtag
💖 Support Our Work

If you find this post helpful and would like to support my work, you can send a donation via TRC-20 (USDT). Your contributions help us keep creating and sharing more valuable content.

circle-check

TRC-20 Address: TAAVVf9ZxUpbyvTa6Gd5SGPmctBdy4PQwf

Thank you for your generosity! 🙏

hashtag
Channel Overview

🌐 Website: www.nerd-cafe.irarrow-up-right

📺 YouTube: @nerd-cafearrow-up-right

🎥 Aparat: nerd_cafearrow-up-right

📌 Pinterest: nerd_cafearrow-up-right

📱 Telegram: @nerd_cafearrow-up-right

📝 Blog: Nerd Café on Virgoolarrow-up-right

💻 GitHub: nerd-cafearrow-up-right

PreviousModule 12: Evading IDS, Firewalls, and HoneypotsNextModule 14: Hacking Web Applications

Last updated