Cisco Firewall Internet Configuration Analysis

  •     Spoto
  • |
  •   Posted on: 2019-05-23
  • |
  •   Views: 237
  • |
  •   Category:
  • CCIE Lab

Cisco Firewall Internet Configuration Analysis


The following are all the problems you will encounter when working through the CCIE RS LAB EXAM.


Cisco's firewall mainly refers to the firewall after 5512. The previous 5510 series basically do not explain because the production is discontinued. Let's talk about the configuration is not meaningful. There mainly refers to the 5500X series firewall. Here mainly to give some of the most commonly used configurations, the reader of this book knows nothing about the firewall but these configurations can be configured on the public network, basically solve the problem. Of course, I still hope that everyone can in the case of the public network go to the Cisco website to download the configuration manual and want to understand why this configuration.



The first is to open the HTTP function. This function is mainly used to remotely or allow administrators to manage the firewall in the form of WEB. Everyone is accustomed to the order. I am not exception but now Cisco is pushing the WEB way. In fact, this WEB has some functions that are particularly useful. For example, if I configure VPN, it is basically a configuration with WEB. It may take only one minute. The configuration is successful but the difference of the ability to pass the command may not be configured in one day. However, it also has problems. For example, when troubleshooting, it is especially complicated. You should use the command and graphics interface together.


Basic configuration:


Configure the user password: username cisco password cisco privilege 15 . After the username and password are configured, you need to call the following command to take effect.


aaa authentication http console LOCAL


aaa authentication ssh console LOCAL


aaa authentication telnet console LOCAL


aaa authentication enable console LOCAL

Configure HTTP function:


http server enable


username cisco password cisco privilege 15



asdm image disk0:/asdm-713.bin boot system


disk0:/asa911-4-smp-k8.bin http 0 0 inside


http 0 0 outside


Note that the IOS version here should be the same platform as ASDM. Of course, it can be different. Pay attention to the software to install JAVE here. This software version is JAVE7. This JAVE is often problematic. • Everyone will often encounter this when they install ASDM.






The above situation may be the reason why the JAVE installed by you and the software version of ASDM are different. The solution can only be to reinstall JAVE. This has no experience to say that can only say that the newer version of the software you installed. The corresponding JAVE is also newer, this also requires repeated attempts. I often make mistakes on this.


The following is the configuration of SSH Telnet login, you should pay attention to mandatory local authentication, otherwise your SSH is no way to use.


aaa authentication http console LOCAL


aaa authentication ssh console LOCAL


crypto key generate rsa modulus 1024




ssh inside


ssh outside


ssh timeout 30


ssh version 2


telnet inside


console timeout 0


The following configuration is to release ICMP traffic, we all know that the default is not PING public network, you must release it. You can also write ICMP ACL release but I like to use the following way to release.


policy-map global_policy


class inspection_default inspect icmp


The above configuration is common and the configuration is the same on each firewall. Let's look at the configuration of the interface:


interface GigabitEthernet0/0


 nameif outside


 security-level 0


ip address 183.129.X.X 255.255.255.X




interface GigabitEthernet0/1


nameif inside


security-level 100


ip address



The above configuration is the internal and external interface address and security level of the firewall. Everyone knows that the security level is the basic means of separating the internal and external networks. That is the default high security level can access the external network but the low security level cannot access the internal network inside. It can access outside.It is feasible and vice versa. If you need to visit, you need to clear it. Note that the router does not have this feature.



object network outstatic




object network inside




nat (inside,outside) source dynamic inside interface


route outside 183.129.X.X



The above commands are very important and the meaning is very simple. That is to do port address translation. We all know that the internal network does not do address translation is not on the public network. In general, the enterprise has only one public network address so you must do port conversion before you can go to the public network. Note that the above subnet is to enlarge it. The last default route is definitely needed, otherwise there is no way to go to the public network. The address is the gateway that the operator gives you.


Of course, if there is a three-layer core exchange, you need a command to open communication with the intranet route inside



Well, in the general case configuration here, the enterprise can go to the public network basically 80% of the customers here are configured successfully. Some customers need to configure VPN and port mapping, here are configured as follows:


object network tcp21




object network tcp53




object network udp53




object network tcp33789




object network tcp36952




object network tcp443




access-list 101 extended permit tcp any host eq 808


access-list 101 extended permit tcp any host eq 5000


access-list 101 extended permit tcp any host eq 8081


access-list 101 extended permit tcp any host eq ftp


access-list 101 extended permit tcp any host eq domain


access-list 101 extended permit tcp any host eq 36952


access-list 101 extended permit tcp any host eq 33789




object network static


nat (inside,outside) static interface service tcp 808 808


object network static1


nat (inside,outside) static interface service tcp 5000 5000


object network test


nat (inside,outside) static interface service tcp 135 135


object network tcp8081


nat (inside,outside) static interface service tcp 8081 8081


object network tcp21


nat (inside,outside) static interface service tcp ftp ftp


object network tcp53


nat (inside,outside) static interface service tcp domain domain


object network udp53


nat (inside,outside) static interface service udp domain domain


object network tcp33789


nat (inside,outside) static interface service tcp 33789 33789


object network tcp36952


nat (inside,outside) static interface service tcp 36952 36952


The port mapping of the above configuration pays attention to the real address.





More you may be interested:


Cisco CCIE RS lab exam, even someone else passed through this method?


Be careful with the dump liar! Teach you how to prevent being cheated!


[exclusive] Information about CISCO CERTIFICATION EXAM latest dumps this week



Start the discussion...

To Leave a Comment or reply to posts please log in