Configuration Steps

Step-by-Step Procedure:

1. Initial Setup of Devices

1. Add Devices to Cisco Packet Tracer:

○ Add a Cisco ASA 5506-X firewall.
○ Add a Cisco 2811 Router.
○ Add 2 Switches.
○ Add 4 PCs.
○ Add 1 Server (replaces the internet cloud for simplicity).

2. Physical Connections

1. Router to Firewall (Outside):

 ○ Use a Copper Straight-Through Cable to connect the Router's
GigabitEthernet 0/0 to the Firewall’s Ethernet 0/0.
2. Firewall to Switch 1 (Inside):
○ Use a Copper Straight-Through Cable to connect the
Firewall’s Ethernet 0/1 to the Switch 1’s FastEthernet 0/1.
3. Switch 1 to PCs (Corporate Devices):
○ Use Copper Straight-Through Cables to connect PC1 and PC2 to
Switch 1 (FastEthernet ports 0/2 and 0/3).
4. Switch 1 to Server:
○ Use a Copper Straight-Through Cable to connect the Server’s
FastEthernet 0 to the Switch 1’s FastEthernet 0/4.
5. Switch 1 to Switch 2 (if needed):
○ Optional: Use Copper Straight-Through Cable to connect
Switch 1 FastEthernet 0/5 to Switch 2 FastEthernet 0/1 (for
expansion in the future).

Cisco ASA Firewall Configuration:

ciscoasa#configure terminal
ciscoasa(config)#interface Ethernet0/0
ciscoasa(config-if)#nameif outside
ERROR: This command can only be configured on VLAN interfaces
ciscoasa(config-if)#exit
ciscoasa(config)#interface vlan 1
ciscoasa(config-if)#nameif inside
INFO: Security level for "inside" set to 100 by default.
ciscoasa(config-if)#exit
ciscoasa(config)#interface vlan 1
ciscoasa(config-if)#nameif inside
ciscoasa(config-if)#ip address 192.168.1.1 255.255.255.0
ciscoasa(config-if)#no shutdown
ciscoasa(config-if)#exit
ciscoasa(config)#interface vlan 2
ciscoasa(config-if)#nameif outside
ciscoasa(config-if)#ip address 203.0.113.1 255.255.255.0
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)#exit
ciscoasa(config)# interface Ethernet0/0
ciscoasa(config-if)# switchport access vlan 1 # Assign Ethernet0/0 to
VLAN 1
ciscoasa(config-if)# exit

ciscoasa(config)# interface Ethernet0/1

ciscoasa(config-if)# switchport access vlan 2 # Assign Ethernet0/1 to
VLAN 2
ciscoasa(config-if)# exit

ciscoasa(config-if)#exit
ciscoasa(config)#access-list outside_access_in extended permit tcp any
host 192.168.1.10 eq 80
ciscoasa(config)#access-group outside_access_in in interface outside
ciscoasa(config)#route outside 0.0.0.0 0.0.0.0 203.0.113.254

Verification:
ciscoasa# show interface

Cisco Router Configuration:

Router>enable
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#interface gigabitEthernet 0/0
Router(config-if)#ip address 203.0.113.2 255.255.255.0
Router(config-if)#no shutdown
Router(config-if)#exit
Router(config)#ip route 0.0.0.0 0.0.0.0 203.0.113.1
Router(config)#exit

Server Configuration (Instead of Cloud)

1. Assign a Static IP to the Server:

○ Click on the Server.
○ Go to the Desktop Tab.
○ Click on IP Configuration.
○ Set the following:
 ■ IP Address: 192.168.1.10
■ Subnet Mask: 255.255.255.0
■ Default Gateway: 192.168.1.1 (ASA inside interface)

PC Configuration

1. Assign Static IP Addresses to PCs: On each PC (PC1, PC2, etc.),

manually configure IP addresses:
○ PC1:
■ IP Address: 192.168.1.2
■ Subnet Mask: 255.255.255.0
■ Default Gateway: 192.168.1.1
○ PC2:
■ IP Address: 192.168.1.3
■ Subnet Mask: 255.255.255.0
■ Default Gateway: 192.168.1.1

PC3 and PC4 Configuration (Static IP Setup)

1. PC3 Configuration:
○ Click on PC3 in Cisco Packet Tracer.
○ Go to the Desktop Tab.
○ Click on IP Configuration.
○ Set the following static IP settings:
■ IP Address: 192.168.1.4
■ Subnet Mask: 255.255.255.0
■ Default Gateway: 192.168.1.1
2. PC4 Configuration:
○ Click on PC4.
○ Go to the Desktop Tab.
○ Click on IP Configuration.
○ Set the following static IP settings:
■ IP Address: 192.168.1.5
■ Subnet Mask: 255.255.255.0
■ Default Gateway: 192.168.1.1
 Testing Connectivity

1. Ping Between Devices:

○ From PC1, ping PC2 to verify internal network connectivity:

ping 192.168.1.3

2. Ping the Server from PCs:

● From PC1, ping the Server:

ping 192.168.1.10

// 3. Test External Network (Router to Outside):

● Ping from the Router to an external IP (e.g., 8.8.8.8) to test

internet connectivity:

ping 8.8.8.8

Check Basic Connectivity (Verification Step)

Testing Connectivity:

1. Ping Between PC3 and PC4:

○ Go to the Command Prompt on PC3.

Type the following command to ping PC4:

e
ping 192.168.1.5

○
○ You should see successful replies indicating that PC3 can
communicate with PC4.
2. Ping from PC3 or PC4 to Server:
○ Go to the Command Prompt on PC3 or PC4.
 Type the following command to ping the Server:

ping 192.168.1.10

○ You should see successful replies if the server and PC3/PC4

are properly connected to the network.
3. Ping from PC3 or PC4 to Router (outside interface):

Try pinging the outside interface of the ASA firewall from PC3 or
PC4 to ensure communication with external devices:

ping 203.0.113.1

○ If successful, the internal PCs can communicate with the

firewall's external interface.

Firewall Rule Verification (ASA ACL Test):

Verify that ACLs (Access Control Lists) are in place to permit or

deny traffic between different networks (inside, outside, guest).

ciscoasa#show access-list
access-list cached ACL log flows: total 0, denied 0
(deny-flow-max 4096) alert-interval 300
access-list outside_access_in; 1 elements; name hash: 0x2c873510
access-list outside_access_in line 1 extended permit tcp any host
192.168.1.10 eq www(hitcnt=0) 0x90d6cd50

View Detailed Interface Information:

ciscoasa# show interface Ethernet0/0

output:
Ethernet0/0 "", is up, line protocol is up (connected)
Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
Auto-Duplex, Auto-Speed
Input flow control is unsupported, output flow control is unsupported
Available but not configured via nameif
MAC address 00D0.582E.B501, MTU not set
IP address unassigned
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
0 switch ingress policy drops
0 packets output, 0 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 rate limit drops
0 switch egress policy drops
0 input reset drops, 0 output reset drops

ciscoasa#configure terminal
ciscoasa(config)#show running-config interface
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 203.0.113.1 255.255.255.0
!
interface Vlan3
no nameif
no security-level
no ip address
!
ciscoasa(config)#exit
ciscoasa#show running-config
: Saved
:
ASA Version 8.4(2)
!
hostname ciscoasa
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 203.0.113.1 255.255.255.0
!
interface Vlan3
no nameif
no security-level
no ip address
!
!
route outside 0.0.0.0 0.0.0.0 203.0.113.254 1
!
access-list outside_access_in extended permit tcp any host
192.168.1.10 eq www
!
!
access-group outside_access_in in interface outside
!
!
!
!
!
telnet timeout 5
ssh timeout 5
!
dhcpd auto_config outside
!
!
dhcpd enable inside
!
!
!
!
ciscoasa#show running-config interface Ethernet0/0
interface Ethernet0/0
switchport access vlan 2
!
ciscoasa#show running-config interface Ethernet0/1
interface Ethernet0/1
!
ciscoasa#

interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0

Test NAT (Network Address Translation):

ciscoasa#configure terminal

ciscoasa(config)#object network obj_any

ciscoasa(config-network-object)#subnet 192.168.1.0 255.255.255.0

ciscoasa(config-network-object)#nat (inside,outside) dynamic interface

ciscoasa(config-network-object)#access-list outside_access_in extended

permit ip any any

ciscoasa(config)#access-group outside_access_in in interface outside

ciscoasa(config)#exit

ciscoasa#show nat

Auto NAT Policies (Section 2)

1 (inside) to (outside) source dynamic obj_any interface

 translate_hits = 0, untranslate_hits = 0

//This indicates that the NAT rule is in place, but no translations

have occurred yet (translate_hits = 0 and untranslate_hits = 0). This
is normal if no devices from the inside network have attempted to
access external resources since the configuration.

Security Policy Testing

● Test network segmentation: Ensure that guest users

(PC3, PC4) do not have access to the corporate inside
network.
● Block unnecessary ports/services: Use the firewall to
block unwanted services like FTP, Telnet, or any unused
ports. You can use ACLs to achieve this.

ciscoasa#configure terminal
ciscoasa(config)# access-list outside_access_in deny tcp any
any eq ftp
ciscoasa(config)#access-list outside_access_in permit ip any
any
WARNING: <outside_access_in> found duplicate element
ciscoasa(config)#access-group outside_access_in in interface
outside
ciscoasa(config)#show access-list outside_access_in

ciscoasa(config)#
ciscoasa(config)#EXIT

ciscoasa#write memory
Building configuration...
Cryptochecksum: 13a16bc4 4dd87a18 0810476d 293b510d
1130 bytes copied in 2.67 secs (423 bytes/sec)
[OK]
ciscoasa(config)#show version
Cisco Adaptive Security Appliance Software Version 8.4(2)
Device Manager Version 6.4(5)
Compiled on Wed 15-Jun-11 18:17 by mnguyen
System image file is "disk0:/asa842-k8.bin
Config file at boot was "startup-config"
ciscoasa up 1 hours 26 minutes 31 seconds
Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash M50FW016 @ 0xfff00000, 2048KB
Encryption hardware device : Cisco ASA-5505 on-board accelerator
(revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode : CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.06
Number of accelerators: 1
0: Int: Internal-Data0/0 : address is 44d3.caef.1e22, irq 11
1: Ext: Ethernet0/0 : address is 00D0.582E.B501, irq 255
2: Ext: Ethernet0/1 : address is 00D0.582E.B502, irq 255
3: Ext: Ethernet0/2 : address is 00D0.582E.B503, irq 255
4: Ext: Ethernet0/3 : address is 00D0.582E.B504, irq 255
5: Ext: Ethernet0/4 : address is 00D0.582E.B505, irq 255
6: Ext: Ethernet0/5 : address is 00D0.582E.B506, irq 255
7: Ext: Ethernet0/6 : address is 00D0.582E.B507, irq 255
8: Ext: Ethernet0/7 : address is 00D0.582E.B508, irq 255
9: Int: Internal-Data0/1 : address is 0000.0003.0002, irq 255
10: Int: Not used : irq 255
11: Int: Not used : irq 255
Licensed features for this platform:
Maximum Physical Interfaces : 8 perpetual
VLANs : 3 DMZ Restricted
Dual ISPs : Disabled perpetual
VLAN Trunk Ports : 0 perpetual
Inside Hosts : 10 perpetual
Failover : Disabled perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 10 perpetual
Total VPN Peers : 25 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
This platform has a Base license.
Serial Number: JMX1536LK5F-
Running Permanent Activation Key: 0xB3020A4E 0xC3602512 0xC576CB36
0x825140D5 0x770ABB28
Configuration register is 0x1
Configuration has not been modified since last system restart.

COMPLETE VERIFICARION:

ciscoasa#show running-config
: Saved
:
ASA Version 8.4(2)
!
hostname ciscoasa
names
!
interface Ethernet0/0
!
interface Ethernet0/1
switchport access vlan 2
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 203.0.113.1 255.255.255.0
!
interface Vlan3
no nameif
no security-level
no ip address
!
object network obj_any
subnet 192.168.1.0 255.255.255.0
nat (inside,outside) dynamic interface
!
route outside 0.0.0.0 0.0.0.0 203.0.113.254 1
!
access-list outside_access_in extended permit tcp any host
192.168.1.10 eq www
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended deny tcp any any eq ftp
!
!
access-group outside_access_in in interface outside
!
!
!
!
!
telnet timeout 5
ssh timeout 5
!
dhcpd auto_config outside
!
!
dhcpd enable inside
!
!
!
!

ciscoasa#show interface ip brief

Interface IP-Address OK? Method Status Protocol
Ethernet0/0 unassigned YES unset up up
Ethernet0/1 unassigned YES unset up up
Ethernet0/2 unassigned YES unset up up
Ethernet0/3 unassigned YES unset down down
Ethernet0/4 unassigned YES unset down down
Ethernet0/5 unassigned YES unset down down
Ethernet0/6 unassigned YES unset down down
Ethernet0/7 unassigned YES unset down down
Vlan1 192.168.1.1 YES manual up up
Vlan2 203.0.113.1 YES manual up up
Vlan3 unassigned YES unset up down

ciscoasa#show nat

Auto NAT Policies (Section 2)

1 (inside) to (outside) source dynamic obj_any interface
translate_hits = 0, untranslate_hits = 0

ciscoasa#show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max
4096) alert-interval 300
access-list outside_access_in; 3 elements; name hash: 0x414ee72a
access-list outside_access_in line 1 extended permit tcp any host
192.168.1.10 eq www(hitcnt=0) 0x5db46aac
access-list outside_access_in line 2 extended permit ip any
any(hitcnt=0) 0x5ed177ab
access-list outside_access_in line 3 extended deny tcp any any eq
ftp(hitcnt=0) 0x96c5cbe4

ciscoasa#show version

Cisco Adaptive Security Appliance Software Version 8.4(2)

Device Manager Version 6.4(5)
Compiled on Wed 15-Jun-11 18:17 by mnguyen
System image file is "disk0:/asa842-k8.bin
Config file at boot was "startup-config"
ciscoasa up 1 hours 32 minutes 2 seconds
Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash M50FW016 @ 0xfff00000, 2048KB
Encryption hardware device : Cisco ASA-5505 on-board accelerator
(revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode : CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.06
Number of accelerators: 1
0: Int: Internal-Data0/0 : address is 44d3.caef.1e22, irq 11
1: Ext: Ethernet0/0 : address is 00D0.582E.B501, irq 255
2: Ext: Ethernet0/1 : address is 00D0.582E.B502, irq 255
3: Ext: Ethernet0/2 : address is 00D0.582E.B503, irq 255
4: Ext: Ethernet0/3 : address is 00D0.582E.B504, irq 255
5: Ext: Ethernet0/4 : address is 00D0.582E.B505, irq 255
6: Ext: Ethernet0/5 : address is 00D0.582E.B506, irq 255
7: Ext: Ethernet0/6 : address is 00D0.582E.B507, irq 255
8: Ext: Ethernet0/7 : address is 00D0.582E.B508, irq 255
9: Int: Internal-Data0/1 : address is 0000.0003.0002, irq 255
10: Int: Not used : irq 255
11: Int: Not used : irq 255
Licensed features for this platform:
Maximum Physical Interfaces : 8 perpetual
VLANs : 3 DMZ Restricted
Dual ISPs : Disabled perpetual
VLAN Trunk Ports : 0 perpetual
Inside Hosts : 10 perpetual
Failover : Disabled perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 10 perpetual
Total VPN Peers : 25 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
This platform has a Base license.
Serial Number: JMX1536LK5F-
Running Permanent Activation Key: 0xB3020A4E 0xC3602512 0xC576CB36
0x825140D5 0x770ABB28
Configuration register is 0x1
Configuration has not been modified since last system restart.

ciscoasa#show access-list

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max

4096) alert-interval 300
access-list outside_access_in; 3 elements; name hash: 0x81aab11a
access-list outside_access_in line 1 extended permit tcp any host
192.168.1.10 eq www(hitcnt=0) 0x3587d59b
access-list outside_access_in line 2 extended permit ip any
any(hitcnt=0) 0xe108b876
access-list outside_access_in line 3 extended deny tcp any any eq
ftp(hitcnt=0) 0xdc4b3655
ciscoasa#