In today’s video will be about ASA 5506-X, I will perform basic

configurations on this device in a very easy steps, with some

definitions along the way.
I hope my videos are helpful for those who are seeking to be certified
for the Cisco Exams, if you like my videos, please subscribe to my
channel and share it on your Facebook page, and give me the thumb
up, and please let me know if you have any suggestions, comments or
questions, I will gladly answer you back.
On my Facebook page, I created a group where I posted all of my labs
there, the name of the group “ CCNA Free Practice labs, Walk
through”.
You need to install Packet Tracer, I posted a video to show you step
by step how to download and install Packet Tracer, either in English or
Arabic, see my video channel or my group on Facebook and please
follow through.
On the description of this video, you will find two files, one for the
packet tracer’s source files, and the documents to walk you through
the lab step by step until you finally will be able to verify the
configurations you did during this lab.
What is ASA?
ASA stands for Adaptive Security Appliance. In brief, Cisco ASA is a
security device that combines firewall, antivirus, intrusion prevention,
and virtual private network (VPN) capabilities. It provides proactive
threat defense that stops attacks before they spread through the
network.
I will start by configuring Router1:
On Router1:
# enable
# conf t
# hostname Router1.
# int G0/1
# ip address 8.8.8.1 255.255.255.0
# no shut
# int G0/0
# ip address 10.1.1.1 255.255.255.252
# no shut
NEXT:
I will configure the ASA
On the ASA
# enable
# enter no password is configured yet
# conf t
# hostname ASA5506
I will configure a password of “ cisco”
# enable password cisco
I will configure the domain name of www.ccna.com
# conf t
# domain-name ccna.com
I will configure a username of Admin1 and a password of “cisco”
# username Admin1 password cisco

NEXT:
I will check to see what has been pre-configured on the device by
default.
# show run
We notice the following
The name of the interface “nameif= inside”
The security level of 100
And the private internal IP address of 192.168.1.1 /24
Also we notice the following on G1/2
The name of the interface “ nameif = outside”
Security level of 0
And the IP address DHCP
NEXT:
I will remove these configuration on the two interfaces.
On ASA5506:
# conf t
# int G1/1
# no ip address 192.168.1.1 255.255.255.0
# no nameif
# no security-level 100
# int G1/2
# no ip address dhcp
# no nameif
# no security-level 0
NEXT
I will verify that the ports are clear
# show run
We notice that the ports are clear, and now I will configure the
interfaces as it is showing in the topology
On ASA5506:
# int G1/1
# ip address 10.1.1.1 255.255.255.252
# nameif outside
# security-level 0
# no shut
NEXT:
Time to configure the internal private network on the interface Ma1/1
# int ma1/1
# ip address 192.168.1.1 255.255.255.0
# nameif inside
# security-level 100
# no shut
Now, after I am done with the interfaces configuration, I will verify
We usually use the command” show ip interface brief”, but when
working on the ASA firewall, the command as follows:
# show interface ip brief
# show ip address
NEXT:
I will configure ASA5506 as DHCP server for the internal network
I will set the pool of addresses
# dhcp address 192.168.1.10-192.168.1.20 inside
I will configure the DNS server
# dhcp dns 8.8.8.8
The default gateway
# dhcp option 3 ip 192.168.1.1
Next, I will activate the DHCP server and enable it for the inside
network
# dhcp enable inside
Now, I am done with the configuration, I will verify with both PCs, PC-
A and PC-B that they can receive their IP addresses from the DHCP
server.
NEXT:
I will configure a default route for the internal private network so
they can reach the server on the internet.
On ASA5506:
# conf t
# route outside 0.0.0.0 0.0.0.0 10.1.1.2
NEXT:

I will configure NAT on the ASA5506

Network Address Translation
NAT. Stands for "Network Address Translation." NAT translates the IP
addresses of computers in a local network to a single IP address. This
address is often used by the router that connects the computers to
the Internet.
Dynamic NAT (on ASA) Network Address Translation is used for
translation of private IP addresses into Public IP address while
accessing the internet . NAT generally operates on router or firewall.
In this type of NAT, multiple private IP address are mapped to a pool
of public IP address.
First, I will create a network object.
A network object can contain a host, a network IP address, a range of
IP addresses, or a fully qualified domain name (FQDN). You can also
enable NAT rules on the object
# object network INSIDE
This NAT is for the inside subnet, the private network
# subnet 192.168.1.0 255.255.255.0
Now, I will configure NAT
# nat (inside,outside) dynamic interface
The "ip nat outside source" means to inspet an outgoing packet
originated from an "inside" interface (configured as: ip nat inside)
towards an "outside" interface (configured as: ip nat outside) and act
accordingly.
# exit
I will verify
# show nat
I will verify by pinging the server from PC-A.
On PC-A:
# ping 8.8.8.8 it should fail, because the ASA is blocking ICMP.
NEXT:
For this I will configure the Firewall ASA5506 to permit ICMP
What is inspection in firewall?
Stateful inspection, also known as dynamic packet filtering, is
a firewall technology that monitors the state of active connections
and uses this information to determine which network packets to
allow through the firewall.
What is inspection in Cisco ASA?
When many people think of protocol inspection, they think of a
process that reads the data of a packet and inspects it for some
amount of wrongdoing. In reality, the packet inspection feature of the
Adaptive Security Appliance (ASA) is typically used to help make the
protocol work better.
Class Map and Policy Map Overview. ... Each class map defines a
traffic classification: network traffic that is of interest to you. A policy
map defines a series of actions (functions) that you want applied to a
set of classified inbound traffic.
On ASA5506:
# conf t
# class-map inspection_default
# match default-inspectioin-traffic
# exit
Next:
Time to set the policy map
# policy-map globac_policy
Specify the class we created
# class inspection_default
# inspect icmp
# exit
NEXT:
I will enable the service policy
# service-policy global_policy global
NEXT:
I will verify by pinging from PC-A to the server
On PC-A:
# ping 8.8.8.8 it should be successful
Let us try to access the server via web browser from PC-B
On PC-B.
Web browser 8.8.8.8 this should time out
To allow accessing the server via web browser, I need to add HTTP on
the ASA5506
On ASA5506:
# conf t
# policy-map global_policy
# class inspection_default
# inspect http
I will run the show command
# show run
Notice the changes
Let us give it another try from PC-B.
On PC-B
# 8.8.8.8 it should be successful
Let us try from PC-A to ping the server by the name www.ccna.com
On PC-A:
# ping www.ccna.com it should fail
I will add the DNS on the ASA5506 to be inspected, by creating a
policy map for the DNS.
DNS inspection is enabled by default, using the
preset_dns_map inspection class map:
 The maximum DNS message length is 512 bytes.
 The maximum client DNS message length is automatically set to
match the Resource Record.
On the ASA5506:
# conf t
# policy-map type inspect dns preset_dns_map
# parameters
# message-length maximum 512
# exit
# policy-map global_policy
# class inspection_default
# inspect dns preset_dna_map
# exit
I will verify the running configuration
# show run
Notice the policy map for the DNS inspection
NEXT,
I will try to ping the server again by name from PC-2
On PC-2:
# ping www.ccna.com it should be successful
NEXT:
I will configure AAA Authentication for SSH.
On ASA5506:
# conf t
# aaa authentication ssh console local
I will generate the crypto key
# crypto key generate rsa modulus 1024
# yes
I will set up the permitted host or network to use SSH service.
On ASA5506:
# conf t
# ssh 192.168.1.0 255.255.255.0 inside
Set the time out for 10 minutes
# ssh timeout 10