Cisco Firewall Internet Configuration Analysis

The following are all the problems you will encounter when working through theCCIE RS LAB EXAM.

Cisco's firewall mainly refers to the firewall after 5512. The previous 5510 series basically do not explain because the production is discontinued. Let's talk about the configuration is not meaningful. There mainly refers to the 5500X series firewall. Here mainly to give some of the most commonly used configurations, the reader of this book knows nothing about the firewall but these configurations can be configured on the public network, basically solve the problem. Of course, I still hope that everyone can in the case of the public network go to the Cisco website to download the configuration manual and want to understand why this configuration.

The first is to open the HTTP function. This function is mainly used to remotely or allow administrators to manage the firewall in the form of WEB. Everyone is accustomed to the order. I am not exception but now Cisco is pushing the WEB way. In fact, this WEB has some functions that are particularly useful. For example, if I configure VPN, it is basically a configuration with WEB. It may take only one minute. The configuration is successful but the difference of the ability to pass the command may not be configured in one day. However, it also has problems. For example, when troubleshooting, it is especially complicated. You should use the command and graphics interface together.

Basic configuration:

Configure the user password: username cisco password cisco privilege 15 . After the username and password are configured, you need to call the following command to take effect.

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

aaa authentication enable console LOCAL

Configure HTTP function:

http server enable

username cisco password cisco privilege 15

asdm image disk0:/asdm-713.bin boot system

disk0:/asa911-4-smp-k8.bin http 0 0 inside


http 0 0 outside

Note that the IOS version here should be the same platform as ASDM. Of course, it can be different. Pay attention to the software to install JAVE here. This software version is JAVE7. This JAVE is often problematic. • Everyone will often encounter this when they install ASDM.


The above situation may be the reason why the JAVE installed by you and the software version of ASDM are different. The solution can only be to reinstall JAVE. This has no experience to say that can only say that the newer version of the software you installed. The corresponding JAVE is also newer, this also requires repeated attempts. I often make mistakes on this.

The following is the configuration of SSH Telnet login, you should pay attention to mandatory local authentication, otherwise your SSH is no way to use.

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

crypto key generate rsa modulus 1024


ssh inside

ssh outside

ssh timeout 30

ssh version 2

telnet inside

console timeout 0

The following configuration is to release ICMP traffic, we all know that the default is not PING public network, you must release it. You can also write ICMP ACL release but I like to use the following way to release.

policy-map global_policy

class inspection_default inspect icmp

The above configuration is common and the configuration is the same on each firewall. Let's look at the configuration of the interface:

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 183.129.X.X 255.255.255.X


interface GigabitEthernet0/1

nameif inside

security-level 100

ip address

The above configuration is the internal and external interface address and security level of the firewall. Everyone knows that the security level is the basic means of separating the internal and external networks. That is the default high security level can access the external network but the low security level cannot access the internal network inside. It can access outside.It is feasible and vice versa. If you need to visit, you need to clear it. Note that the router does not have this feature.

object network outstatic


object network inside


nat (inside,outside) source dynamic inside interface

route outside 183.129.X.X

The above commands are very important and the meaning is very simple. That is to do port address translation. We all know that the internal network does not do address translation is not on the public network. In general, the enterprise has only one public network address so you must do port conversion before you can go to the public network. Note that the above subnet is to enlarge it. The last default route is definitely needed, otherwise there is no way to go to the public network. The address is the gateway that the operator gives you.

Of course, if there is a three-layer core exchange, you need a command to open communication with the intranet route inside

Well, in the general case configuration here, the enterprise can go to the public network basically 80% of the customers here are configured successfully. Some customers need to configure VPN and port mapping, here are configured as follows:

object network tcp21


object network tcp53


object network udp53


object network tcp33789


object network tcp36952


object network tcp443


access-list 101 extended permit tcp any host eq 808

access-list 101 extended permit tcp any host eq 5000

access-list 101 extended permit tcp any host eq 8081

access-list 101 extended permit tcp any host eq ftp

access-list 101 extended permit tcp any host eq domain

access-list 101 extended permit tcp any host eq 36952

access-list 101 extended permit tcp any host eq 33789


object network static

nat (inside,outside) static interface service tcp 808 808

object network static1

nat (inside,outside) static interface service tcp 5000 5000

object network test

nat (inside,outside) static interface service tcp 135 135

object network tcp8081

nat (inside,outside) static interface service tcp 8081 8081

object network tcp21

nat (inside,outside) static interface service tcp ftp ftp

object network tcp53

nat (inside,outside) static interface service tcp domain domain

object network udp53

nat (inside,outside) static interface service udp domain domain

object network tcp33789

nat (inside,outside) static interface service tcp 33789 33789

object network tcp36952

nat (inside,outside) static interface service tcp 36952 36952

The port mapping of the above configuration pays attention to the real address.


More you may be interested:

Cisco CCIE RS lab exam, even someone else passed through this method?

Be careful with the dump liar! Teach you how to prevent being cheated!

[exclusive] Information about CISCO CERTIFICATION EXAM latest dumps this week

Tags: Cisco Firewall Internet Configuration CCIE RS LAB

Although no system is ever 100 percent protected, the ability for differentiating between typical network traffic as well as potentially harmful malware is considered crucial and provides the focus of this associate-level certification path. Also, if you wish to acquire this certification, you should gain the CCNP 300-730 SVPN Dumps, which are being offered at the EveDumps.


Leave a comment