ASAv Version: 9.16

In this tutorial I will show you how to configure the ASAv Inside and Outside Interface. To allow access to the internet from a workstation in the LAN.

We will be using the GigabitEthernet0/0 interface (GE0/0) as the outside interface for connection to the Internet. I have a 2 Tier Firewall in my setup so you will only that the internal ip address of my WAN interface having private IP address

By now you should be familiar with the command to enable configuration and enter global configuration mode.

We will be using GigabitEthernet0/1 interfaceGE0/1 as the inside interface for connection to the internal network.

The commands to configure the outside interface to get ip address from the DHCP address for home lab setup like mine are as follows:

ciscoasa>enable
ciscoasa#configure terminal
/* Go to the interface that you are going to configure as outside interface, in our case GE0/0
ciscoasa(config)#interface GigabitEthernet0/0
  • Use nameif to give the interface a name
  • Set the security-level <0-100> 0 being the least secure to 100 being the most secure. For outside interface you want to set it to a low secure zone.
  • If you are getting ip address from the upstream DHCP server you can use the dhcp setroute command to get the upstream ip address and set the default route base on the default gateway assign by the DHCP server.
  • no shutdown to bring up the interface.
ciscoasa(config-if)nameif outside
ciscoasa(config-if)security-level 0
ciscoasa(config-if)ip address dhcp setroute
ciscoasa(config-if)no shutdown

The commands to configure the inside interface manually assigning ip address are as follows:

  • Use nameif to give the interface a name
  • Set the security-level <0-100> 0 being the least secure to 100 being the most secure. For inside interface you want to set it to a high secure zone.
  • set the ip address of the inside interface
  • no shutdown to bring up the interface.
ciscoasa(config)#interface GigabitEthernet0/1
ciscoasa(config-if)nameif inside
ciscoasa(config-if)security-level 100
ciscoasa(config-if)ip address 192.168.46.221 255.255.255.0
ciscoasa(config-if)no shutdown

To allow access to the internet from the PC in the inside interface (LAN) you will need to create a dynamic PAT rule

  • Create a network object for internal/inside subnet
  • Add the subnet
  • Add the PAT configuration
ciscoasa(config)# object network my_inside_net
ciscoasa(config)# subnet 192.168.46.0 255.255.255.0
ciscoasa(config)# nat (inside,outside) dynamic interface

Optional If you are planning to setup the outside interface (WAN) ip address the command is the same ip address that you use to setup the inside interface. (This is usually what you would do in an office environment.

You will need to setup the default route to the upstream default gateway ip address. usually this is the next hop ip address, the inside interface of the upstream firewall/router.

ciscoasa(config)# route outside 0.0.0.0 0.0.0.0 <gateway ip address>