Welcome back to this series on the ASDM of the Cisco ASA. In the last article, we saw how to set up the ASDM on the Cisco ASA in GNS3. We configured basic connectivity for the ASA to be able to access the TFTP server set up on our GNS3 machine, copied the ASDM image over to the ASA and then enabled the HTTPS server on the ASA to be accessed by our computer through a web browser.
In this article, we will pick up from where we left off and take a tour of the ASDM before using it to configure basic interface settings. The GNS3 topology we will be using has evolved to include two routers: one to act as a DMZ router and the other as the Internet router.
The configuration on the ASA from the previous article is as follows:
hostname ASA ! interface GigabitEthernet1 nameif inside security-level 100 ip address 192.168.10.1 255.255.255.0 ! asdm image disk0:/asdm-713.bin http server enable http 192.168.10.0 255.255.255.0 inside username asdm password mEI9mGOFgPDwvzKv encrypted
The configuration on the Internet-RTR is as follows:
hostname Internet-RTR ! interface Loopback0 ip address 126.96.36.199 255.255.255.255< ! interface FastEthernet0/0 ip address 192.168.20.2 255.255.255.0 ! line vty 0 4 password cisco
The configuration on the DMZ-RTR is as follows:
hostname DMZ-RTR ! interface FastEthernet0/0 ip address 172.16.1.2 255.255.255.0 ! line vty 0 4 password cisco
In the last article, after we connected to the ASDM, a shortcut got placed on my desktop as shown below:
This means I don’t have to open a web browser to connect to this particular ASA anymore. When you double-click on that shortcut, you may get a warning that the connection is not trusted and if you continue, you will be presented with the login dialog box. Remember from our last article, we configured a username of asdm and a password of asdm. After successfully logging in, you will be presented with the screen below:
Let us take a quick tour of this interface. The menu bar contains File, View, Tools, Wizards and Help. Many of the functions like saving the running configuration, tools like ping and traceroute and VPN wizards are contained in here. You should take some time to go through the items in the menu bar.
Below the menu bar, we have the toolbar which helps us access the Home, Configuration and Monitoring panes. It also provides shortcut buttons like the Save and Refresh buttons.
On the left-hand side, you will notice a docked tab called ‘Device List.’ This allows us to add, delete or connect to an ASA. To switch to another device on this ASDM device list, that ASA must be running the same version of ASDM as the one we are currently running. You can click on the tab to expand it as shown below:
There is also the left navigation pane when we switch to the Configuration or Monitoring pane. This pane gives us access to configuration and monitoring options.
At the bottom of the ASDM interface, we have the Status bar which shows the date and time, username, privilege level and so on. The diagram below shows the ASDM interface with its different sections:
Before we begin our configuration, there is a useful setting that enables us to view the configuration that will be sent from ASDM to our device. This setting is under Preferences, which is located under Tools > Preferences.
We will check the Preview commands before sending them to the device checkbox. This setting is unchecked by default unlike in the Cisco Configuration Professional tool.
We can now begin our configuration. In this article, we will configure basic settings like interface settings and static routing. To configure our interfaces, we will navigate to Configuration > Device Setup > Interfaces.
Notice that GigabitEthernet1 is the only interface configured and enabled. GigabitEthernet0 is the one connected to Internet-RTR and should have an IP address of 192.168.20.1 while GigabitEthernet2 is the one connected to DMZ-RTR and should have an IP address of 172.16.1.1. Finally, remember that to bring up an interface on the ASA, we also have to configure a name and a security level. Therefore, we will assign a name of outside and security level of 0 to Gi0 and a name of dmz and security level of 50 to Gi2.
I will select the interface I want to configure and click on the Edit button. In the screenshot below, I have configured Gi0.
When I click on the OK button, a warning dialog is displayed informing me that changing the security level of an interface can cause challenges. I want to make this change so I will click on OK.
Keep in mind that at this point, your configuration has not been applied on the ASA yet, so if you try to leave that page, you will get a prompt similar to the one shown below. Be sure to apply your changes before leaving a page.
When I’m done with my configuration, I will click on the Apply button located at the bottom of that page.
Because of the setting we changed under preferences, the configuration to be sent to the ASA is displayed and I can click on the Send button to apply it on the ASA.
At this point, we can test our configuration using the ping utility.
The result of my ping to the Internet-RTR is shown below. You should also confirm that you can ping the DMZ-RTR.
The next thing we want to do is configure routing. For this article, we will configure a default route through the Internet-RTR. To configure a static route, I will navigate to Configuration > Device Setup > Routing > Static routes and click on the Add button.
Notice that I can use the “any” keyword which is the same as 0.0.0.0. In this dialog box, we can also configure SLA tracking if this feature was needed. When I click OK and then click the Apply button, the configuration to be sent to the device is as follows:
route outside 0.0.0.0 0.0.0.0 192.168.20.2 1
Note that all we have done in this article is to ensure that the ASA has connectivity to all networks. We have not configured connectivity between the networks themselves, e.g. the inside host cannot yet connect successfully to the DMZ-RTR as shown below:
In the next article, we will configure this connectivity. For now, remember to save your configuration:
Clicking on the Save Running Configuration to Flash (or using the CTRL+S key combination) is the same as issuing the write memory command on the ASA console.
In this article, we began by familiarizing ourselves with the ASDM interface. We then configured basic settings like interface settings and static routing. We discovered that even though the ASA can connect to all networks, the networks themselves do not have connectivity among themselves. This is what we will be looking at in the next article.
I hope you have found this article insightful and I look forward to the next article in the series.
Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.1: http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/asdm71/general/asdm_71_general_config/intro_asdm_gui.html