April 2011

Eight Basic Cisco Commands

Understanding the Eight Basic Commands on a Cisco ASA Security Appliance

By: Don Crawley, SoundTraining.net

There are literally thousands of commands and sub-commands available to configure a Cisco security appliance. As you gain knowledge of the appliance, you will use more and more of the commands. Initially, however, there are just a few commands required to configure basic functionality on the appliance. Basic functionality is defined as allowing inside hosts to access outside hosts, but not allowing outside hosts to access the inside hosts. Additionally, management must be allowed from at least one inside host. To enable basic functionality, there are eight basic commands (these commands are based on software version 8.3(1) or greater):

  • Interface
  • Nameif
  • security-level
  • ip address
  • switchport access
  • object network
  • nat
  • route

Interface
The interface command identifies either the hardware interface or the Switch Virtual Interface (VLAN interface) that will be configured. Once in interface configuration mode, you can assign physical interfaces to switchports and enable them (turn them on) or you can assign names and security levels to VLAN interfaces. Shown in image 1 below:
Cisco Interface

Nameif
The nameif command gives the interface a name and assigns a security level. Typical names are outside, inside, or DMZ.

Security-level
Security levels are numeric values, ranging from 0 to 100, used by the appliance to control traffic flow. Traffic is permitted to flow from interfaces with higher security levels to interfaces with lower security levels, but not the other way. Access-lists must be used to permit traffic to flow from lower security levels to higher security levels. The default security level for an outside interface is 0. For an inside interface, the default security level is 100. In the following sample configuration, the interface command is first used to name the inside and outside VLAN interfaces, then the DMZ interface is named and a security level of 50 is assigned to it.

     ciscoasa(config)# interface vlan1
     ciscoasa(config-if)# nameif inside
     INFO: Security level for “inside” set to 100 by default.
     ciscoasa(config-if)# interface vlan2
     ciscoasa(config-if)# nameif outside
     INFO: Security level for “outside” set to 0 by default.
     ciscoasa(config-if)# interface vlan3
     ciscoasa(config-if)# nameif dmz
     ciscoasa(config-if)# security-level 50

IP Address
The ip address command assigns an IP address to a VLAN interface either statically or by making it a DHCP client. With modern versions of security appliance software, it is not necessary to explicitly configure default subnet masks. If you are using non-standard masks, you must explicitly configure the mask, otherwise, it is not necessary.

In the following sample (image 2 below) configuration, an IP address is assigned to VLAN 1, the inside interface.

     ciscoasa(config-if)# interface vlan 1
     ciscoasa(config-if)# ip address 192.168.1.1
Cisco IP Address

Switchport Access
The switchport access command on the ASA 5505 security appliance assigns a physical interface to a logical (VLAN) interface. In the next example, the interface command is used to identify physical interfaces, assign them to switchports on the appliance, and enable them (turn them on). This command is not used on the ASA 55×0 appliances.

     ciscoasa(config-if)# interface ethernet 0/0
     ciscoasa(config-if)# switchport access vlan 2
     ciscoasa(config-if)# no shutdown
     ciscoasa(config-if)# interface ethernet 0/1
     ciscoasa(config-if)# switchport access vlan 1
     ciscoasa(config-if)# no shutdown

Object Network Obj Any
The object network obj_any statement creates an object called “obj_any”. (You do not have to name the object “obj_any”; that is a descriptive name, but you could just as easily name it “Juan”.) The network option states that this particular object will be based on IP addresses. The subnet 0.0.0.0 0.0.0.0 command states that obj_any will affect any IP address not configured on any other object.

     ciscoasa(config-if)#object network obj_any
     ciscoasa(config-network-object)#subnet 0.0.0.0 0.0.0.0

Nat
The nat statement, as shown below, tells the firewall to allow all traffic flowing from the inside to the outside interface to use whatever address is dynamically (DHCP) configured on the outside interface.

     ciscoasa(config)#nat (inside,outside) dynamic interface

Route
The route command, in its most basic form, assigns a default route for traffic, typically to an ISP’s router. It can also be used in conjunction with access-lists to send specific types of traffic to specific hosts on specific subnets.

In this sample configuration, the route command is used to configure a default route to the ISP’s router at 12.3.4.6. The two zeroes before the ISP’s router address are shorthand for an IP address of 0.0.0.0 and a mask of 0.0.0.0. The statement outside identifies the interface through which traffic will flow to reach the default route.

     ciscoasa(config-if)# route outside 0 0 12.3.4.6

The above commands create a very basic firewall, however, using a sophisticated device such as a Cisco PIX or ASA security appliance to perform such basic firewall functions is overkill.

Other commands to use include hostname to identify the firewall, telnet or SSH to allow remote administration, DHCPD commands to allow the firewall to assign IP addresses to inside hosts, and static route and access-list commands to allow internal hosts such as DMZ Web servers or DMZ mail servers to be accessible to Internet hosts.

Here is a sample base configuration: 

   Sample Base Configuration
     ciscoasa(config)# interface vlan1
     ciscoasa(config-if)# nameif inside
     INFO: Security level for “inside” set to 100 by default.
     ciscoasa(config-if)# interface vlan2
     ciscoasa(config-if)# nameif outside
     INFO: Security level for “outside” set to 0 by default.
     ciscoasa(config-if)# interface ethernet 0/0
     ciscoasa(config-if)# switchport access vlan 2
     ciscoasa(config-if)# no shutdown
     ciscoasa(config-if)# interface ethernet 0/1
     ciscoasa(config-if)# switchport access vlan 1
     ciscoasa(config-if)# no shutdown
     ciscoasa(config-if)# interface vlan 2
     ciscoasa(config-if)# ip address 12.3.4.5
     ciscoasa(config-if)# interface vlan 1
     ciscoasa(config-if)# ip address 192.168.1.1
     ciscoasa(config-if)# route outside 0 0 12.3.4.6
     ciscoasa(config-if)#object network obj_any
     ciscoasa(config-network-object)#subnet 0.0.0.0 0.0.0.0
     ciscoasa(config)#nat (inside,outside) dynamic interface
     ciscoasa(config)#exit

The above configuration will allow you to connect a private network, such as a home or small office LAN, to the public Internet through the Cisco ASA Security Appliance. Depending on your business case, that may suffice for your purposes. Such a configuration is more robust, secure, and stable than what you would achieve using consumer-grade devices.

Obviously, a Cisco ASA Security Appliance supports many more commands including those used to implement cryptographic services on VPNs, access-control lists to identify and manage traffic flows, policy map commands such as the “inspect” family of commands to allow certain protocols to safely traverse the appliance, and firewall mode commands to enable or disable transparent mode on the appliance. These eight commands also do not include commands used for the all-important backups and restores, but they do provide a foundation for the myriad other commands available on the appliance. By starting at the foundational level, you can build a more complete understanding of how the appliance works and more effectively design and build secure configurations

About the Author
Don R. Crawley author of The Accidental Administrator series of books for IT professionals including The Accidental Administrator: Cisco ASA Security Appliance: A Step-by-Step Configuration Guide and President of soundtraining.net a Seattle, Washington-based IT training firm. He is a veteran IT guy with over 35 years’ experience in technology for the workplace. He holds multiple certifications on Microsoft, Cisco, and Linux products. Don can be reached at (206) 988-5858 www.soundtraining.net don@soundtraining.net

Share