How to Set up Basic Cisco ASA Firewall
Before we get started let me update you that the basic cmd configurations of the ASA firewall after ASA version 8.4 are same so please don't get confused. If your ASA version is 8.4 or later the configuration would be almost same.
Step 1 :
Setup the IP configurations on the ASA.
ciscoasa>
ciscoasa> en
Password:
ciscoasa#
ciscoasa# conf t
ciscoasa(config)# hostname Cisco-ASA
Cisco-ASA(config)# int g0/0
Cisco-ASA(config-if)# description Inside Zone
Cisco-ASA(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
Cisco-ASA(config-if)# ip add 192.168.1.1 255.255.255.0
Cisco-ASA(config-if)# no sh
Cisco-ASA(config-if)# int g0/1
Cisco-ASA(config-if)# description Outside Zone - Towards Internet
Cisco-ASA(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
Cisco-ASA(config-if)# ip address 4.4.4.1 255.255.255.252
Cisco-ASA(config-if)# no sh
Cisco-ASA(config-if)# int g0/2
Cisco-ASA(config-if)# description DMZ Side
Cisco-ASA(config-if)# nameif dmz
INFO: Security level for "dmz" set to 0 by default.
Cisco-ASA(config-if)# security-level 50
Cisco-ASA(config-if)# ip add 192.168.20.1 255.255.255.0
Cisco-ASA(config-if)# no sh
Step 2 :
Setup the DHCP Server to be used for inside hosts.
Cisco-ASA(config)#
dhcpd address
192.168.1.5-192.168.1.254 inside
!---- To define the DHCP pool.
Cisco-ASA(config)#
dhcpd dns 192.168.1.2 8.8.8.8 interface
inside
!---- to define primary and secondary dns.
Cisco-ASA(config)#
dhcpd enable inside
!---- Enable the DHCP for
inside hosts.
We can verify that client is getting the IP settings from
the DHCP.
Step 3 :
Enable the internet access for Internal and DMZ hosts.
Cisco-ASA(config)#
route outside 0 0 4.4.4.2
! -----Default route towards internet.
Cisco-ASA(config)#
nat (inside,outside) after-auto
source dynamic any interface
! -----Nat rule to translate the inside host to outside public ip.
! -----Nat rule to translate the inside host to outside public ip.
Cisco-ASA(config)# nat (dmz,outside) after-auto source dynamic any interface
! -----Nat rule to translate the dmz host to outside public ip.
! -----Nat rule to translate the dmz host to outside public ip.
The “AFTER-AUTO” keyword simply set this NAT the least
preferred rule to be evaluated after Manual NAT and Auto NAT are evaluated. The
reason to give it the least preference is to avoid possible conflict with other
NAT rules.
Now the settings are configured properly and the internet is
working from inside and dmz hosts but the inside and dmz hosts can’t ping the internet.
That’s because the ICMP inspection in the firewall is disabled
by default for security reasons as there are many type of attacks that can
happen using ping the most common is the smurf attach. Or we can say the denial
of service attack.
Lets enable the inspection temporary .
Cisco-ASA#
sh run policy-map
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length
maximum client auto
message-length
maximum 512
policy-map global_policy
class
inspection_default
inspect dns
migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
Cisco-ASA#
! -----To see the default policy.
Cisco-ASA(config)#
policy-map global_policy
Cisco-ASA(config-pmap)# class
inspection_default
Cisco-ASA(config-pmap-c)#
inspect icmp
Cisco-ASA(config-pmap-c)#
end
ping is working fine.
It is important to keep saving the logs so in any accidental
situation you can see in the logs what happened on that time. We can enable the
logging into the ASA’s buffer memory. We can set the log size to 512 MB or even more and
the older logs are deleted automatically step by step. We can set the logging
level to “Debugging” which records everything in detailed level. Make sure that
the time and date is configured
correctly.
Cisco-ASA# clock
set 4:24:00 15 july 2017
Cisco-ASA(config)# clock timezone EST -5
Cisco-ASA(config)# clock summer-time EST recurring
Cisco-ASA(config)# logging buffer-size 512000
Cisco-ASA(config)# logging buffered debugging
Cisco-ASA(config)# clock timezone EST -5
Cisco-ASA(config)# clock summer-time EST recurring
Cisco-ASA(config)# logging buffer-size 512000
Cisco-ASA(config)# logging buffered debugging
To view logs, issue command “show logging”
Comments
Post a Comment