Networks Security Lab

Final Project
First Semester 2025/2026

Configuring Cisco ASA Firewall for Enhanced Network Security

Introduction
In today's interconnected digital landscape, safeguarding network infrastructure against cyber
threats is paramount. Cisco Adaptive Security Appliance (ASA) firewall stands as a firm guardian,
offering robust security features essential for fortifying network perimeters. This project delves into
configuring Cisco ASA firewall, leveraging its suite of security functions including Network Address
Translation (NAT), Access Control Lists (ACL), security policies, and routing protocols. Configuring
Cisco ASA firewall with security functions such as NAT, ACL, security policies, and routing protocols
represents a critical endeavor in bolstering network security and safeguarding against evolving cyber
threats.
Securing Networks with Cisco ASA Firewall: An Overview
- Network Address Translation (NAT): NAT serves as a pivotal tool for concealing internal network
structures while facilitating communication with external networks. Through dynamic or static
NAT configurations, Cisco ASA enables seamless translation of IP addresses, preserving network
privacy and enhancing security.
- Access Control Lists (ACL): As the first line of defense, ACLs regulate traffic flow based on
predefined rules, permitting or denying access to network resources. Leveraging Cisco ASA's ACL
capabilities, administrators exert granular control over inbound and outbound traffic, bolstering
network security and thwarting unauthorized access attempts.
- Security Policies: Crafting robust security policies is imperative for mitigating risks and
maintaining compliance standards. Cisco ASA firewall empowers administrators to formulate
comprehensive security policies, dictating permissible network behaviors and enforcing
stringent protocols to safeguard against malicious activities.

- Routing Protocols: Seamless communication between network devices necessitates efficient

routing protocols. Cisco ASA firewall seamlessly integrates with various routing protocols,
facilitating dynamic routing and ensuring optimal data transmission while upholding stringent
security measures.
Objectives of the Project
- Configure Cisco ASA firewall to implement NAT functionalities, preserving internal network
privacy and facilitating secure communication with external entities.
- Develop Access Control Lists (ACLs) on Cisco ASA to regulate traffic flow, enforcing stringent
security policies and mitigating potential threats.
- Formulate comprehensive security policies tailored to organizational requirements, delineating
permissible network behaviors and fortifying defense mechanisms against cyber threats.
- Integrate routing protocols into Cisco ASA firewall infrastructure to ensure seamless data
transmission while upholding robust security standards.

Topology

Software:
- Cisco Packet Tracer
Network Devices:
- Cisco ASA Firewall – 1 appliance- Model ASA 5506x
- Cisco Router – 3 routers – Model 4331
- Cisco Switches – 3 switches- Model 2960
- Cabling- Serial and Ethernet cables as shown in the topology
End Devices:
- 6 PCs
- 4 Servers
Needed Skills:
- Computer networks basics
- IP addressing
- Routing protocols – Static Routing
- Access List
- NAT and PAT
- Security Policies
Use the following IP addressing scheme: -
Firewall: Cisco ASA 5506x

Interface Name Security level IP address SNM Connected to

Gig 1/1 inside 100 [Link] /24 S1
Gig 1/2 dmz 50 [Link] /29 S2
Gig 1/3 outside 0 [Link] /24 R1

Cisco Router ISR 4331

Device Interface IP Address SNM Connected to

R1 Gi 0/0/0 [Link] /29 ASA - Gig 1/3
Se 0/1/0 [Link] /30 R2 – Se 0/1/0
R2 Se 0/1/0 [Link] /30 R1 – Se 0/1/0
Se 0/1/1 [Link] /30 R3 - Se 0/1/1
R3 Se 0/1/1 [Link] /30 R2 - Se 0/1/1
Gig 0/0/1 [Link] /24 S3

End Devices

Device Interface IP Address SNM Default Switch port

Gateway
PC- A NIC DHCP DHCP DHCP S1 - Fa 0/18
PC-B NIC [Link] /24 [Link] S1 - Fa 0/19
PC-C NIC DHCP DHCP DHCP S1 - Fa 0/20
PC-D NIC [Link] /24 [Link] S1 - Fa 0/21
PC-1 NIC [Link] /24 [Link] S3 - Fa 0/18
PC-
Management NIC [Link] /24 [Link] S3 - Fa 0/24
Branch
http server X NIC [Link] /24 [Link] S2 - Fa 0/6
ftp Server X NIC [Link] /24 [Link] S2 - Fa 0/7
HTTP Server 1 NIC [Link] /24 [Link] S3 - Fa 0/17
FTP Server 1 NIC [Link] /24 [Link] S3 - Fa 0/19
Design Requirements: -

Test connectivity and ensure that the network works properly and according to the following
requirements: -
1. Any host at the inside zone can ping any host or server at outside zone.
2. Any inside host can access all the servers in dmz zone. (http X and ftp X)
3. Any inside host can access all the servers in outside zone. (http 1 and ftp 1)
4. Any outside host/ server cannot ping inside hosts and dmz servers.
5. Any outside host can access http server X at dmz zone.
6. Any outside host cannot access ftp server X at dmz zone.
7. Only PC- Management Branch can access ASA via SSH from outside

Guidelines: -
Part 1: Basic Router/Switch/PC Configuration
1. Cable the network as shown in the topology.
2. Configure hostnames and interfaces IP addresses for routers (The hostnames of the routers
should include your names in the following format: R1_<name>_<name>_<name>)
3. Configure the hostnames for the switches. (The hostnames of the switches should include
your names in the following format: S1_<name>_<name>_<name>)
4. Configure static routing, including default routes, between R1, R2, and R3.
5. Configure a minimum password length of 7 characters on all network devices.
6. Configure a user account, encrypted passwords, and crypto keys for SSH on Routers and
switches. (use the password: cisco123 and the key length 1024)
7. Configure line console the local user database for logins. For additional security, configure
the line to log out after three minutes of inactivity. Also prevent console messages from
interrupting command entry for routers and switches.
8. Configure PC hosts IP settings. (Refer to the given addressing table)
9. Configure Servers IP settings. (Refer to the given addressing table)

Part 2: Configuring Basic ASA Settings and Interface Security Levels Using the CLI.
10. Configure the hostname and domain name. (The default ASA hostname and prompt is
ciscoasa> and the default enable password is blank i.e. just hit enter)
11. Configure the login and enable passwords (Use the pass “enb”)
12. Set the date and time.
13. Configure the inside and outside and dmz interfaces and associate them with proper security
level. (Refer to the ASA table above)
Interface security-level notes:
You may receive a message that the security level for the inside interface was set automatically
to 100, and the outside interface was set to 0. The ASA uses interface security levels from 0 to
100 to enforce the security policy. Security level 100 (inside) is the most secure and level 0
(outside) is the least secure. By default, the ASA applies a policy where traffic from a higher
security level interface to one with a lower level is permitted and traffic from a lower security
level interface to one with a higher security level is denied. The ASA default security policy permits
outbound traffic, which is inspected, by default. Returning traffic is allowed due to stateful packet
inspection.

14. Determine the ASA version, interfaces, and license. Then Answer the following:
a. What software version is this ASA running?
b. What is the name of the system image file and from where was it loaded?
c. How much RAM does this ASA have?
d. How much flash memory does this ASA have?
e. How many Ethernet ports does this ASA have?
f. What type of license does this ASA have?

Part 3: Configuring Routing, Address Translation, and Inspection Policy Using the ASA CLI
15. Configure a static default route for the ASA.
16. Configure NAT (dynamic NAT or PAT) on ASA to translate the inside network addresses
([Link]/24) to the global address of the outside ASA interface. This type of object
configuration is called Auto-NAT. (We need that the inside hosts private IPs to be Natted to
the ASA’s Gig 1/3 interface public IP address to reach the Internet (outside)).
17. Modify the MPF application inspection global service policy. For application layer inspection,
as well as other advanced options, the Cisco MPF is available on ASAs. Cisco MPF uses three
configuration objects to define modular, object-oriented, and hierarchical policies:
- Class maps - Define a match criterion.
- Policy maps - Associate actions to the match criteria.
- Service policies - Attach the policy map to an interface, or globally to all interfaces of the
appliance.

Part 4: Configuring DHCP, AAA, and SSH on ASA

18. Configure the ASA as a DHCP server. The ASA can be both a DHCP server and a DHCP client.
In this step, you will configure the ASA as a DHCP server to dynamically assign IP addresses
for DHCP clients on the inside network. (except PC-B and PC-D then specify the pool as
[Link]-[Link]). NOTE: By default, the ASA sets its own IP address as the DHCP
default gateway, so there is no need to configure it. However, to manually configure the
default gateway, or set it to a different networking device’s IP address, use the following
command:
 ASA(config)# dhcpd option 3 ip [Link]

19. Configure Local AAA user authentication- i.e. Configure AAA to use the local ASA database
for SSH user authentication (Hint: this one-line command)

20. Configure SSH remote access to the AAA.

- You can configure the ASA to accept SSH connections from a single host or a range of hosts
on the inside or outside network.
- Generate an RSA key pair, which is required to support SSH connections. The modulus (in
bits) can be 512, 768, 1024, or 2048. The larger the key modulus size you specify, the
longer it takes to generate an RSA. Specify a modulus of 1024 using the crypto key
command. Note: You may receive a message that an RSA key pair is already defined. To
replace the RSA key pair, enter yes at the prompt.
- Configure the ASA to allow SSH connections from any host on the inside network
([Link]/24) and from the remote management host at the branch office (PC-
Management Branch) on the outside network. Set the SSH timeout to 8 minutes (the
default is 5 minutes).

Part 5: Configuring DMZ, Static NAT, and ACLs

21. Configure the dmz interface on the ASA.
22. Configure static NAT for the http server X at dmz zone to translate it’s private IP to the public
IP of [Link]
23. Configure an ACL to allow access to the http server X at dmz for Internet (outside) users.
24. Verify access to the dmz servers for external and internal users.

What to submit?
- A packet tracer file.
- A report that includes the commands you used in a proper manner
that explains your work and screenshots of your whole work (Not a
full report)
- You have to present your work in front of your instructor and show
everything is working as needed.
- Due Date 1/Jan/2026 – 11 PM

Best of Luck 😊