Home > CISCO, Security > Cisco ASA – Initial Configuration

Cisco ASA – Initial Configuration

This post describes the tasks required for a basic configuration of the Cisco ASA.  Please note that he smaller Cisco ASA 5505 has an 8-port 10/100 switch which operates at Layer 2 only. So you can not configure the physical ports as Layer 3 routed ports, you need to create VLAN interfaces. By default, interface Ethernet0/0 is assigned to VLAN 2 and it’s the outside (internet-facing or untrusted)interface.  The remaining seven interfaces (Ethernet0/1 to 0/7) are assigned to VLAN 1

INITIAL CONFIGURATION (INTERFACES):

1: Configure internal interface (vlan1)

ASA5505(config)# interface Vlan 1
ASA5505(config-if)# nameif inside
ASA5505(config-if)# security-level 100
ASA5505(config-if)# ip address 10.10.0.254 255.255.0.0
ASA5505(config-if)# no shut

2: Configure external interface (vlan2)

ASA5505(config)# interface Vlan 2
ASA5505(config-if)# nameif outside
ASA5505(config-if)# security-level 0
ASA5505(config-if)# ip address 130.20.64.17 255.255.255.248
ASA5505(config-if)# no shut

3: Assign Ethernet0/0 to Vlan2

ASA5505(config)# interface Ethernet0/0
ASA5505(config-if)# switchport access vlan 2
ASA5505(config-if)# no shut

Optional – Configure DMZ

ASA5505(config-if)# interface Vlan 3
ASA5505(config-if)# nameif dmz
ASA5505(config-if)# security-level 50
ASA5505(config-if)# ip address 10.10.1.254 255.255.0.0
ASA5505(config-if)# no shut

NOTE: If you already have two VLAN interfaces configured with a nameif command, be sure to enter the no forward interface command before the nameif command on the third interface; the adaptive security appliance does not allow three fully functioning VLAN interfaces with the Base license on the ASA 5505 adaptive security appliance:

ASA5505-SEC-BUN-K9 (Includes Cisco ASA 5505, unlimited users, 8-port Fast Ethernet switch, stateful firewall, 25 IPsec VPN peers, 2 SSL VPN peers, stateless Active/Standby high availability, dual ISP support, DMZ support, 3DES/AES license, and 1 expansion slot)

ASA5505(config)# interface Ethernet0/0
ASA5505(config-if)# switchport access vlan 3
ASA5505(config-if)# no shut

4: Enable any inside interfaces which will by default be in vlan1

ASA5505(config)# interface Ethernet0/1
ASA5505(config-if)# no shut

PORT ADDRESS TRANSLATION:

5: Configure PAT on the outside interface

ASA5505(config)# global (outside) 1 interface
ASA5505(config)# nat (inside) 1 0.0.0.0 0.0.0.0

6. Configure Default Route

ASA5505(config)# route outside 0.0.0.0 0.0.0.0 130.20.64.22

7. Configure NAT to Allow Hosts to Go Out to Internet:

Create a network object that represents the inside subnet as well as one that represents the dmz subnet. In each of these objects, configure a dynamic nat rule that will PAT these clients as the pass from their respective interfaces to the outside interface.

This configuration looks similar to this:

object network inside-subnet
subnet 10.10.0.0 255.255.0.0
nat (inside,outside) dynamic interface

(When hosts matching the 10.10.0.0/16 subnet traverse from the inside interface to the outside interface, translate them to the outside interface).

object network dmz-subnet
subnet 10.10.1.0 255.255.0.0
nat (dmz,outside) dynamic interface

8. Configure NAT to Access Webserver from Internet:
Users on the Internet will be able to reach the dmz webserver by accessing 130.20.64.18 on TCP port 80. Use Object NAT for this task, and the ASA will be translating TCP port 80 on the webserver (10.10.1.18) to look like 130.20.64.18 on TCP port 80 on the outside.

object network webserver-external-ip
host 130.20.64.18
!
object network webserver
host 10.10.1.18
nat (dmz,outside) static webserver-external-ip service tcp www www

Just to further clarify what that NAT rule meant in the above example:

When a host matching the ip address 10.10.1.18 (object network webserver) on the dmz segments establishes a connection “sourced from TCP port 80 (www)” which is routed to the outside interface, it is translated to TCP port 80 (www) at the outside interface and the IP address is translated to 130.20.64.18 (object network webserver-external-ip)

This seems a little difficult to understand: “sourced from TCP port 80 (www)”, but web traffic is destined to port 80. It is important to understand that these NAT rules are bi-directional, so you can re-phrase the sentence reversing the wording to make the rule seem more sensible:

When hosts on the outside establish a connection to 130.20.64.18 on destination TCP port 80 (www), translate the destination IP address to 10.10.1.18 and the destination port to TCP port 80 (www) then send it out the dmz. This makes more sense when phrased this way. Next, you need to set up the ACLs.

ACCESS CONTROL LISTS:
NOTE: In earlier versions of ASA code (8.2 and earlier), the ASA compared an incoming connection or packet against the ACL on an interface without un-translating the packet first. In other words, the ACL had to permit the packet as if you were to capture that packet on the interface. In 8.3 and later code, the ASA un-translates that packet before checking the interface ACLs. This means that for 8.3 and later code, and this document, traffic to the host’s real IP is permitted and not the host’s translated IP.

NAT is configured and the end of this configuration is near. Remember, ACLs on the ASA allow you to override the default security behaviour which is as follows:

  • Traffic going from a lower security interface is denied when going to a higher security interface
  • Traffic going from a higher security interface is allowed when going to a lower security interface

So without adding any ACLs at all to the configuration, the following traffic in this example works:

  • Hosts on the inside (security level 100) can connect to hosts on the dmz (security level 50)
  • Hosts on the inside (security level 100) can connect to hosts on the outside (security level 0)
  • Hosts on the dmz (security level 50) can connect to hosts on the outside (security level 0)

However, the following traffic is denied:

  • Hosts on the outside (security level 0) cannot connect to hosts on the inside (security level 100)
  • Hosts on the outside (security level 0) cannot connect to hosts on the dmz (security level 50)
  • Hosts on the dmz (security level 50) cannot connect to hosts on the inside (security level 100)

So, because traffic from the outside to the dmz network is denied by the ASA with its current configuration, users on the Internet cannot reach the webserver despite the NAT configuration in step 2. You will need to explicitly permit this traffic. In 8.3 and later code you must use the Real IP of the host in the ACL and not the translated IP. This means the configuration needs to permit traffic destined to 10.10.1.18 and NOT traffic destined to 130.20.64.18 on port 80.  We will use the the objects defined in step 2 for this ACL. Once the ACL is created, you need to apply it in the inbound direction on the outside interface:

ASA5505(config)# access-list outside_acl extended permit tcp any object webserver eq www
ASA5505(config)# access-group outside_acl in interface outside

What about traffic from the dmz segment destined to hosts on the inside network segment? For example, a server on the inside network that the hosts on the dmz need to connect to? How can the ASA allow only that specific traffic destined to the inside server and block everything else destined to the inside segment from the dmz? In this example it is assumed that there is a DNS server on the inside network at IP address 192.168.0.53 that the hosts on the dmz need to access for DNS resolution. You create the ACL needed and apply it to the dmz interface so the ASA can override that default security behaviour, mentioned earlier, for traffic entering that interface:

object network dns-server
host 10.10.1.19

ASA5505(config)# access-list dmz_acl extended permit udp any object dns-server eq domain
ASA5505(config)# access-list dmz_acl extended deny ip any object inside-subnet
ASA5505(config)# access-list dmz_acl extended permit ip any any

ASA5505(config)# access-group dmz_acl in interface dmz

The ACL is more complex that simply permitting that traffic to the DNS server on UDP port 53. If all we did is that first ‘permit’ line, then all traffic would be blocked from the dmz to hosts on the internet. Access-list have an implicit ‘deny ip any any’ at the end of the ACL. As a result, your dmz hosts would not be able to go out to the internet. Even though traffic from the dmz to the outside is permitted by default, by applying an ACL to the dmz interface, those default security behaviours for the dmz interface are no longer in effect and we must explicitly permit the traffic in the interface ACL.

Categories: CISCO, Security Tags:
  1. No comments yet.
  1. No trackbacks yet.