Before we get started let me update you that the basic cmd configurations of the ASA firewall after ASA version 8.4 are same so please don't get confused. If your ASA version is 8.4 or later the configuration would be almost same.
Step 1:
Setup the IP configurations on the
ASA.
ciscoasa>
ciscoasa> en
Password:
ciscoasa#
ciscoasa# conf t
ciscoasa(config)# hostname Cisco-ASA
Cisco-ASA(config)# int g0/0
Cisco-ASA(config-if)# description Inside Zone
Cisco-ASA(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
Cisco-ASA(config-if)# ip add 192.168.1.1 255.255.255.0
Cisco-ASA(config-if)# no sh
Cisco-ASA(config-if)# int g0/1
Cisco-ASA(config-if)# description Outside Zone - Towards Internet
Cisco-ASA(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
Cisco-ASA(config-if)# ip address 4.4.4.1 255.255.255.252
Cisco-ASA(config-if)# no sh
Cisco-ASA(config-if)# int g0/2
Cisco-ASA(config-if)# description DMZ Side
Cisco-ASA(config-if)# nameif dmz
INFO: Security level for "dmz" set to 0 by default.
Cisco-ASA(config-if)# security-level 50
Cisco-ASA(config-if)# ip add 192.168.20.1 255.255.255.0
Cisco-ASA(config-if)# no sh
Step 2:
Setup the DHCP Server to be used for inside hosts.
Cisco-ASA(config)# dhcpd address 192.168.1.5-192.168.1.254 inside
! ---- To define the DHCP pool.
Cisco-ASA(config)# dhcpd
dns 192.168.1.2 8.8.8.8 interface inside
! ---- to define primary and secondary dns.
Cisco-ASA(config)# dhcpd enable inside
! ---- Enable the DHCP for inside hosts.
We can verify that client is getting the IP settings from the
DHCP.
Step 3:
Enable the internet access for Internal and DMZ hosts. This can be
done in 2 ways any one can be used.
1.
Cisco-ASA(config)# route outside 0 0 4.4.4.2
! -----Default route towards internet.
Cisco-ASA(config)# nat (inside,outside) after-auto source dynamic any interface
! -----Nat rule to translate the inside host to outside public ip.
Cisco-ASA(config)# nat (dmz,outside) after-auto source dynamic any interface
! -----Nat rule to translate the dmz host to outside public ip.
The “AFTER-AUTO” keyword simply set this NAT the least preferred
rule to be evaluated after Manual NAT and Auto NAT are evaluated. The reason to
give it the least preference is to avoid possible conflict with other NAT rules.
OR
2.
object network NET_OBJ_192.168.1.0_24
subnet 192.168.1.0 255.255.255.0
nat (inside,outside) dynamic interface
object network NET_OBJ_192.168.20.0_24
subnet 192.168.20.0 255.255.255.0
nat (dmz,outside) dynamic interface
Now the settings are configured properly and the internet is
working from inside and dmz hosts but the inside and dmz hosts can’t ping the
internet.
That’s because the ICMP inspection in the firewall is disabled by
default for security reasons as there are many type of attacks that can happen
using ping the most common is the smurf attach. Or we can say the denial of
service attack.
Let’s enable the inspection temporary.
Cisco-ASA# sh
run policy-map
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
Cisco-ASA#
! -----To see the default policy.
Cisco-ASA(config)# policy-map
global_policy
Cisco-ASA(config-pmap)# class inspection_default
Cisco-ASA(config-pmap-c)# inspect icmp
Cisco-ASA(config-pmap-c)# end
ping is working fine.
Step
4:
It is important to keep saving the logs so in any accidental
situation you can see in the logs what happened on that time. We can enable the
logging into the ASA’s buffer memory. We can set the log size to 512 MB or even
more and the older logs are deleted automatically step by step. We can set the
logging level to “Debugging” which records everything in detailed level. Make
sure that the time and date is configured correctly.
Cisco-ASA# clock set 4:24:00 15 july 2017
Cisco-ASA(config)# clock timezone EST -5
Cisco-ASA(config)# clock summer-time EST recurring
Cisco-ASA(config)# logging buffer-size 512000
Cisco-ASA(config)# logging buffered debugging
Cisco-ASA(config)# clock summer-time EST recurring
Cisco-ASA(config)# logging buffer-size 512000
Cisco-ASA(config)# logging buffered debugging
To view logs, issue command “show logging”
Tip
·
Make sure to not
copy the commands directly from the webpage to firewall. First copy the
commands on the notepad read the command and type manually on the Firewall
------------------------------The END------------------------------
Very Nice Explanation
ReplyDelete