As with configuring any firewall, administrators should develop a checklist that they can
use during the installation and implementation of the PIX/ASA firewall in the network.
There are really two components to this checklist. First, you want to define the
implementation requirements and determine how the firewall should be configured and
what options will be enabled. In essence, design and plan your firewall implementation
before you configure and implement the firewall. To help with the planning of your
PIX/ASA firewall implementation, consider the following items (although not an
exhaustive list, it is a good basic checklist for many environments):
• Determine how many interfaces will be required.
• Determine how the interfaces will need to be configured (for example, interface
speed and duplex).
• Determine the IP addresses that will be assigned to the firewall interfaces and how
the addresses will be assigned (for example, static IP addresses or DHCP
• Determine what type of routing will be used (dynamic or static) and define any
static and default routes.
• Determine how NAT will be used (for example, static, dynamic, no NAT at all, or
any combination of the three).
• Define which internal hosts will need to be accessed from the outside, and whether
that access will be handled by static NAT or without NAT.
• Define which ACLs (both inbound and outbound) will be required.
• Define how authentication and command authorization on the PIX will be handled
(for example, will a AAA server be required?).
• Define the firewall administrator roles and the corresponding access levels that
will be required.
• Will remote-access or LAN-to-LAN VPNs be configured on the PIX/ASA? If so,
define the VPN configuration settings.
• Define the passwords that will be used on the firewall.
• Define how the PIX will be managed (for example, using Telnet, SSH, ASDM)
and from what networks or hosts remote access will be permitted.
• Define how logging will be handled (for example, will the PIX/ASA log to a
remote syslog server?).
After you have completed your planning and defined the requirements and determined
how the firewall should be configured and what options will be enabled, the second step
of the PIX/ASA checklist is to list out the specific configuration steps required to
configure the firewall. Whereas the preceding checklist focused on the planning and
design, this checklist uses that information to define what actually needs to be done for
the actual firewall configuration. A good configuration checklist for the PIX/ASA
firewall consists of the following:
1. Configure the firewall interfaces.
2. Configure the firewall passwords.
3. Configure the firewall name and domain name.
4. Assign addresses to the firewall interfaces.
5. Configure the appropriate routing.
6. Configure the appropriate remote management settings.
7. Configure AAA as required.
8. Configure the firewall time settings
9. Configure the appropriate logging settings.
10. If required, configure NAT and any other translations.
11. Build and implement the appropriate ACLs and apply them to the appropriate
interfaces in the appropriate direction.
12. Configure application inspection.
13. Configure advanced features such as failover, VPN, or IPS.
14. If the firewall is an ASA, configure the advanced antivirus, antispyware, and