How to Configure Cisco ASA and PIX

Firewalls?
1. How Firewall Builder works with Cisco ASA Firewalls
2. Firewall Builder GUI Layout
3. Example Cisco ASA Deployment
4. Creating a Cisco ASA or PIX Firewall
4.1. Network Zones
5. Working With Objects
6. Configuring Policy Rules (Access Lists)
6.1. Additional Tips For Working with Rules
7. Configuring NAT Rules
8. Compile and Install
Firewall Builder is a configuration management application used to
configure and manage firewall rules for multiple types of firewalls.
This guide goes through the steps necessary to create a Cisco ASA
firewall object in Firewall Builder, and then install rules created in
Firewall Builder onto the firewall.

1. How Firewall
Firewalls

Builder

works

with

Cisco

ASA

Conceptually Firewall Builder works the same way no matter what

type of firewall is being configured. Firewall Builder is based on the
idea of using objects to represent rule elements, such as IP networks
and Host addresses, and then using these objects to define firewall
rules.
For Cisco ASA and Cisco PIX firewalls, after the firewall object rules
creation Firewall Builder generates a configuration file containing all
the Cisco CLI commands required to implement the defined security
policy. This configuration file includes optional information required
to configure interfaces, static routes, and other configuration
options as needed.
Once the configuration file has been created, Firewall Builder can
use the secure SSH and SCP protocols to transfer the configuration
to the Cisco ASA or PIX firewall and activate the generated
configuration, or users can manually copy-and-paste the generated
configuration file into a command line session.
Figure 1. Basic Workflow for Configuring ASA Firewall with
Firewall Builder

2. Firewall Builder GUI Layout

Before we get started configuring our example firewall, let's take a
minute to orient ourselves with the Firewall Builder application. The
GUI is comprised of three primary panels, shown in the screenshot
below.
Figure 2. Firewall Builder GUI Layout

Object Panel. Objects in the active Library are displayed in an

object tree in the Object Panel. Empty folders are defined for
all possible object types that a user can create in the User
library.
Rules Panel. When a Policy object is opened for editing it is
displayed in the Rules Panel. Clicking on the green
icon at
the top of the panel creates a new rule.
Editor Panel. Double-clicking on objects opens them for
editing in the Editor Panel. Changes to object attribute fields
take effect immediately.

Panels open dynamically based on what activity the user is

performing. For example, double-clicking an object to edit it will
open the Editor Panel if it is not already open.
Now we are ready to get started configuring our firewall example.

3. Example Cisco ASA Deployment

This Getting Started Guide demonstrates how to configure a Cisco
ASA 5505 to match the network deployment shown in the diagram
below.
Figure 3. Example Cisco ASA Configuration

The goal of this Getting Started Guide is to familiarize users with the
basic Firewall Builder steps needed to configure a Cisco ASA or PIX
firewall object. There are many advanced features that won't be
covered here, please refer to the Users Guide for a complete listing
of all Firewall Builder features.

4. Creating a Cisco ASA or PIX Firewall

To create a firewall object to represent your Cisco ASA device, click
on the Create new firewall icon in the main window of Firewall
Builder, or right-click on the Firewalls system folder in the object
tree and select "New Firewall". Either of these methods will launch a
wizard that walks you through creating your firewall object.
Enter a name for the firewall object. In this example we will use asa1. Change the drop down menu for the firewall software to read
Cisco ASA (PIX).
Figure 4. New Firewall Dialog

Click the "Next >" button to continue to the next step in the wizard.
When creating a firewall object in Firewall Builder you have a choice

of configuring interfaces manually, or using SNMP discovery to

gather configuration details from a running firewall. SNMP discovery
requires you to have SNMP enabled on your firewall and to know
either the Read-Only or Read-Write community string. For this
example we are going to configure the firewall interfaces manually.
Figure 5. Select Interface Configuration Method

Click the "Next >" button to continue to the next step.

The firewall object you create in Firewall Builder needs to match the
Cisco ASA or PIX firewall that you want to deploy security policies
on. This means that the interface names and IP addresses in the
firewall object you create must exactly match what is configured on
the ASA or PIX.
Click the green
icon to add a new interface to the firewall object.
Enter the name of the interface exactly as it is shown on the ASA or
PIX command line when you run the "show interface" command. In
this example interfaces Ethernet0/0 through Ethernet0/7 are
available, but we are only going to use interfaces Ethernet0/0 and
Ethernet0/1.
Set the interface name to Ethernet0/0 and set the label to outside.
Click on the Add address button and set the IP address to 192.0.2.1
with a netmask of 255.255.255.240.
Figure 6. Set Interface IP Address

Click the green

icon to add another interface to the firewall
object. Enter the information in to the wizard to match the second
interface as follows:
Figure 7. Interface Tabs

Click the "Next >" button.

Firewall Builder will automatically set the security level of the
interface based on the interface label and IP address. The outside
interface is set to security level 0 and the inside interface is set to
security level 100.
Figure 8. Interface Security Levels

Click the "Finish" button to create the firewall object.

After you create the firewall object representing the ASA or PIX, it is
displayed in the object panel on the left side. The Policy object,
where the access list rules are configured, is automatically opened
in the main window.
Figure 9. Firewall Displayed in Object Tree

4.1. Network Zones

Firewall Builder uses a Network Zone concept to determine network
topology and correctly create rules. Each firewall object interface
has a corresponding Network Zone that must be set. The Network
Zone represents the set of source IP networks sending traffic
inbound to an interface.
Figure 10. Network Zones Define Topology

Note
Warning! If you do not set the Network Zone, Firewall Builder will
generate an error when you try to compile the firewall object to
generate the configuration file.
Outside Interface
For the "outside" interface, Ethernet0/0 in this example, you will
typically set the Network Zone to "Any". "Any" is defined to be all IP
networks that aren't associated with any other interfaces. To set the
Network Zone double-click the Ethernet0/0 interface object of the
firewall object and select the Network Zone "Any" from the
dropdown list.
Figure 11. Setting Network Zone For The "outside" Interface

Inside Interface
For the "inside" interface, and all other interfaces on the firewall
object, you need to select a Network Zone based on the your
network topology. In our firewall example object the "inside"
interface is attached to the 10.10.10.0/24 network. Firewall Builder
comes with a predefined object called net-10.0.0.0 which represents
the 10.0.0.0 network. We will use this network for the "inside"
interface Network Zone.

Figure 12. Setting Network Zone For The "inside" Interface

Note
A Network Zone can be an individual Network object or a Group
object that includes multiple Network objects. For example, you
must set the Network Zone to a Group object if your internal
network uses the 10.0.0.0/8 and 172.16.0.0/16 networks. In this
case you create a Group object, include network objects for both of
these IP networks, and use this Group object as your "inside"
interface's Network Zone.
Before moving on you should save the data file containing the new
firewall object just created. Do this by going to the "File -> Save As"
menu item. Choose a name and location to save the file.

5. Working With Objects

Firewall Builder is based on the concept of objects. There are a
variety of different object types used to define IP objects that can be
used as the Source and Destination in your firewall rules. Two of the
most
common
IP
objects
used
in
firewall
rules
are Networks and Addresses.
Network Objects
To create the example Network object representing the internal
10.10.10.0/24 network shown in the diagram on the previous page,
go to the object tree on the left side of the screen and double-click
the folder labeled Objects to expand it. Right click on the folder
called Networks and select New Network. This creates a new
network object. In the lower portion of your screen, called the Editor
Panel, you can modify the properties of this new network object.
Change the object name to something matching the function. In this

example we name it Internal Network to represent the network

connected to our "inside" interface. The address is set to 10.10.10.0
and the netmask is 255.255.255.0.
Figure 13. New Network Object

Note
When editing the attributes of an object there is no Apply or Submit
button. Once you edit an attribute, as soon as you move away
from the field you were editing the change immediately
takes effect.
Address Objects
To create an object representing a single IP address, similar to the
host parameter in a Cisco access list, go to the object tree, rightclick on the Addresses folder, and select "New Address". In the
Editor Panel change the name of the new address object to
something that reflects its function, for example POP3 Server. Also
set the IP address.
Figure 14. New Address Object

You may have noticed that we did not create any objects for the TCP
services like HTTP and SSH needed for the firewall object rules
shown in the example. This is because Firewall Builder comes with

hundreds of predefined objects for commonly used objects like TCP

services.

6. Configuring Policy Rules (Access Lists)

After you have created a firewall object and network objects you can
start to configure the firewall's rules. When you create a firewall
object, for example asa-1 from our previous example, it is opened
automatically in the object tree and its Policy object is opened in the
main window for editing. The Policy object is where access list rules
are configured.
To add a new rule to the Policy, click on the green
icon at the top
left of the main window. This creates a new rule with default values
set to deny all.
Figure 15. Default Rule

Every rule includes the following sections:

Source - this can be one or more IP objects. The default value
is Any which is the same as the "any" parameter in a Cisco
access list that matches all IP addresses.
Destination - this can be one or more IP objects. The default
value is Any which is the same as the "any" parameter in a
Cisco access list that matches all IP addresses.
Service - this can be one or more Service objects. Example
services include TCP and UDP protocols like HTTP and DNS.
The default value is Any which matches any IP service and is
the same as the "ip" parameter in Cisco access lists.
Interface - this can be one or more interfaces configured on
the firewall (router) object. The default value is All which
means the rule will be applied as an access list to all
configured interfaces.
Direction - options are Inbound, Outbound, and Both. This
defines whether the resulting access-group will be applied to
interfaces as "in" or "out". Both will generate an identical rule
for "in" and "out". The default value is Both.
Action - options are Accept and Deny. This matches the Cisco
access list parameters "permit" and "deny". The default value
is Deny.
Options - options are Logging On and Logging Off. Setting
Logging On matches the Cisco access list parameter "log".
The default value is Logging On.
Configuring a Rule
In the example below, the fields in the rule will be set to the values
that match the first rule from our example scenario (scenario rules
shown in figure below). This first rule controls SSH access to the

firewall itself.
Figure 16. Scenario Rules

Setting the Source

To set the Source of a rule, drag-and-drop at least one IP object from
the tree to the Source field of your rule. For example, drag the
Network object called Internal Network that you created earlier to
the Source column of the rule as shown below.
Figure 17. Setting the Source

After you drop the network object into the rule the Source field will
change from Any to Internal Network.
Figure 18. After Source is Set

Note
You can have more than one IP object in the Source and Destination
fields. When Firewall Builder generates the Cisco command line
access lists it will automatically split the rule into multiple lines if
necessary.
Setting the Destination
Setting the Destination is exactly the same as setting the Source,
except you drag-and-drop IP objects in to the Destination field of the
rule. For our first example rule we want the Destination to be the
"inside" interface of the firewall object. Drag-and-drop the
Ethernet0/1 object from the object tree to the Destination column.
Figure 19. Setting the Destination

After you drop the interface object into the rule the Destination field
will change from Any to "inside", the label of the Ethernet0/1
interface.
Figure 20. After Destination is Set

Setting the Service

Firewall Builder comes with hundreds of predefined objects including
Service objects for almost all standard protocols. To access these
objects switch to the Standard library by selecting it from the drop
down at the top of the Object tree window.
Figure 21. Switching Libraries

Services are located in the Services folder. In this rule we want to

set the service to SSH, so you would navigate to the SSH service by
opening the Services folder, then opening the TCP folder and
scrolling down until you find the "ssh" object.
Once you find the ssh object, drag-and-drop from the tree on the left
in to the Service section of the rule in the Rules window.
Figure 22. Setting the Service

Note
To switch back to the User library, which contains objects you have
created, click on the drop down menu that says Standard and select
User from the list of libraries.
Setting the Interface
If desired, set the Interface for the rule by dragging-and-dropping an
interface object from the firewall (router) object to the Interface
section of the rule. This will explicitly define which interface on the
router that the access list will be applied to as an "access-group".
Figure 23. Setting the Interface

Setting the Direction

The direction of the rule is based on the traffic you want to filter.
Traffic coming in to an interface should have the rule Direction set to
Inbound and traffic going out of an interface should have the rule
Direction set to Outbound. In our example the direction of the rule
will be Inbound since it is controlling access to the firewall itself on
the "inside" interface. Right-click and set the direction to Inbound.
The Direction, Network Zone and the Interface settings in a rule will
determine which interfaces should have this rule applied.
Note
A word about Inbound vs. Outbound access lists: Older PIX versions
did not support outbound access lists on interfaces, so by default
Firewall Builder emulates this behavior. This means if you create an
outbound rule on an interface, Firewall Builder will convert that to
inbound rules on all other interfaces. You can change this behavior
by editing the Firewall Settings for the firewall object and clicking

the checkbox next to "Generate outbound ACLs".

Setting the Action
The action controls whether traffic matching the rule should be
permitted or denied. Remember, all Cisco access lists have an
implicit deny at the end of the list, so any traffic that has not
matched a rule that permits the traffic will be dropped. Right-click
and set the action to "Accept" to allow the SSH traffic from the local
network to the firewall.
Setting the Options
Logging for rule matches is set in the Options section. By default
logging is turned on. To turn logging off, right-click in the Options
section and select Logging Off.
Example of a Complete Rule
The following is the first rule from our example which allows traffic
from the internal network to the firewall's inside interface that has a
traffic type of SSH.
Figure 24. New Rule with Fields Set

6.1. Additional Tips For Working with Rules

Adding a Rule
To add a new rule click the
icon at the top of the Rules Editor
window. This inserts a new rule above the current rule. To add a new
rule below the current rule right-click on a rule and select "Add New
Rule Below".
Figure 25. Adding Rules

Copy-and-Paste
In addition to drag-and-drop you can also copy-and-paste objects.
For example, you can right-click on the Internal Network object in
the first rule and select Copy. Navigate to the Source section of the
new rule you just created and right-click and select Paste.
Using Filters to Find Objects
Filters provide a way to quickly find objects in the tree without
having to open multiple folders and scroll. For example, if you

wanted to use the POP3 protocol in a rule you could use the filter to
find it.
The POP3 protocol object is located in the Standard library, so select
it from the dropdown menu at the top of the Object Window. Type
pop3 in to the filter field. This will display all objects in the current
library that contain pop3.
Figure 26. Using Filter to Find Objects

Note
After you are done with the filtered object, clear the filter field by
clicking the X to the right of the input box and then switch back to
the User library by selecting it in the dropdown menu at the top of
the object panel.
Example of Completed Rules
For our example we needed to create two firewall rules. The
completed firewalll rules are shown in the diagram below.
Figure 27. Two Rules

7. Configuring NAT Rules

Now that the basic firewall rules are configured we need to define
our NAT policy. Open the NAT object for editing by double-clicking on
it in the object tree as shown in the diagram below.
Figure 28. Open the NAT Object for Editing

For this example we will create a single NAT rule that translates the
source IP address of any traffic coming from the inside
10.10.10.0/24 network going to the Internet. The source IP should
be translated to the IP address of the "outside" interface of the

firewall.
To edit NAT rules we use the same concepts used to edit the firewall
Policy rules. Start by clicking the green
icon at the top of the
Rules panel to add a new NAT rule.
Drag-and-drop the "Internal Network" object you created earlier to
the Original Src column of the NAT rule. This identifies the traffic
that will have its source IP address translated. Now, drag-and-drop
the "outside" interface from the asa-1 firewall object to the
Translated Src column of the rule. This field identifies the IP address
that the traffic will be translated to. After you are done the NAT rule
should like the diagram below.
Figure 29. Completed NAT Rule

That's it! Now we are ready to generate the configuration file and
use the built-in installer to deploy it to the firewall.

8. Compile and Install

In Firewall Builder the process of converting the rules from the
Firewall Builder GUI syntax to the target device commands is
called compiling the configuration.
To compile, click on the Compile icon which looks like a hammer .
If you havent saved your configuration file yet you will be asked to
do so. After you save your file, a wizard will be displayed that lets
you select which firewall(s) you want to compile. In this example we
are going to compile the firewall called asa-1 configured with the
rules above.
If there arent any errors, you should see some messages scroll by in
the main window and a message at the top left stating Success.
To view the output of the compile, click on the button that says
Inspect Generated Files. This will open the file that contains the
commands in Cisco command format. Note that any line that starts
with ! is a comment.
Figure 30. Example Compiler Output

The output from the compiler is automatically saved in a file in the

same directory as the data file that was used to create it. The
generated files are named with the firewall name and a .fw
extension. In our example the generated configuration file is called
asa-1.fw. You can copy and copy and paste the commands from this
file to your ASA or PIX firewall or you can use the built-in Firewall
Builder installer.
Installing
Firewall Builder can install the generated configuration file for you
using SSH and SCP. To use the installer we need to identify one of
the router interfaces as the Management Interface. This tells
Firewall Builder which IP address to connect to on the router.
Do this by double-clicking the firewall object to expand it, and then
double-clicking on the interface name that you want to assign as the
management interface. In this example this is interface Ethernet0/1,
the interface connected to the internal network.
Figure 31. Setting the Managment Interface

Note
Any time you change access lists on your router you face the risk of
locking yourself out of the device. Please be careful to always
inspect your access lists closely and make sure that you will be able
to access the ASA / PIX after the access list is installed.
To install your access lists on the firewall, click on the install icon .
This will bring up a wizard where you will select the firewall to
install. Click Next > to install the selected firewall.
Figure 32. Setting Compile and Install Actions

Firewall Builder will compile your rules, converting them to Cisco

access list command line format. After the compile completes
successfully click Next >. Enter the firewall's username, password
and enable password.
Figure 33. Install Dialog

After the access list configuration is installed you will see a message
at the bottom of the main window and the status indicator in the
upper left corner of the wizard will indicate if the installation was
successful.
Figure 34. Successful Install

By default Firewall Builder uses SCP to copy the generated config

file to the firewall. Once the file is copied to the firewall, Firewall
Builder connects to it using SSH. It loads the transferred config file
from memory using the "copy" command, merging the Firewall
Builder generated command with the current running configuration.
Firewall Builder requires SSH version 2 to be enabled on the firewall.
---Reference from
http://stage.fwbuilder.org/4.0/docs/gs/CiscoASA/asa_new_firewall.ht
ml
More
Cisco Guide: Migration of Cisco PIX 500 Series to Cisco ASA
5500 Series
Cisco PIX Firewall Basics