Solved: Re: How to set up the ACL on Cisco ASA5508-X ?

Dmitry.K85126 · ‎04-28-2021

We are not skilled in configuring the ASA firewall family and we are not so skilled in configuring the CISCO commutators as well.

We have Cisco ASA5508-X Threat Defense and need to set up the ACL.

We have a global factory Intranet and a sub-LAN_1. There are about 10 network units (PCs, PLCs, other CISCO switches) inside sub-LAN_1.

We only need to allow some certain PCs ("Our" PCs) located in Intranet to access to the network units in sub-LAN_1 with any applications, protocols and ports.

The access rule in ASA should use the IPs of "Our" PCs.

The traffic is :

Intranet – CISCO switch_1 (is a gate) – ASA – CISCO switch_2 – some PLCs

Intranet – CISCO switch_1 (is a gate) – ASA - 2 PCs

So we need to enter the IPs of certain PCs into ASA.

We don’t need access to Internet from sub-LAN_1.

All network units in sub-LAN_1 have to answer to all requests from "Our" PCs based on their IPs.

How to set up the ASA in our case ?

Show, please, at least basic steps on what to do, like this : to determine the interfaces, to create the group of interfaces, to set up the “Polices” and so on.

Also which service or application should we use (ssh, putty, ASDM, web-browser etc.)

Thanks in advance.

Samer R. Saleem · ‎05-01-2021

Dmitry, this is a bit broad question, but let's start from basic as you requested.

1. you need to connect to the firewall, how?

a.console cable directly from your PC to firewall console interface and use putty or any available application.

b. SSH if you already done step 1 and added the management IP address

c. ASDM if you added the management IP and allowed ASDM

2. after you connected to firewall you need to do some basic steps like creating interfaces and security levels

3. decide if your two networks will reside on same interface and security levels or on different security levels

4. once step 3 was decided, then start adding network objects for the IP addresses of the hosts/networks and then start creating ACL that allow traffic between the two security levels

if they are on same security levels, then you need to allow same interface traffic option.

this is also a bit broad answer but hopefully will help!

Samer

View solution in original post

Sheraz.Salim · ‎05-01-2021

Thanks for reply. Sorry but I have no idea about the ASA code and the FTD code.

- In order to get this correctly configured you need to confirm what you running on. Console to the unit with your laptop and tell us what the console show us. If you have a unit ASA5508-X it most probably running the ASA code.

As I have understood they both refer to method of configuration ?

- ASA and FTD are two different operation system. FTD is a unified a combination of ASA and Firewpower software.

I prefer the graphic interface like web-browser pages.

- ASDM is you best friend in that case

Is it possible to make the configuration I need with web-browser only ?

I have no diagram of this work, but I can show something like that with following lines :

PC1,PC2,PC3 in Sub-Net_2----(GATE_2) -------Global Intranet -----[ MY ZONE ]
PC4 in Sub-Net_3 ----(GATE_3)---Global Intranet -----[ MY ZONE ]
PC5 in Sub-Net_4 ----(GATE_4)---Global Intranet -----[ MY ZONE ]

[ MY ZONE ] = (GATE_1, based on usial CISCO switch_1) - ASA5508 - CISCO switch_2 – some PLCs and PCs
PC1,,,PC3 must have the access to all network units in "MY ZONE".

PC4 must has the access to PLC1 in "MY ZONE" only

PC5 must has the access to PLC2 in "MY ZONE" only

All IPs of all PCs and PLCs are known.

-Console to the unit. and do some basic configuration. do you want to run this firewall as transport mode or as firewall mode?

if you want to run the unit as firewall than.

!

hostname ASA

!

interface gig0/0

nameif outside

ip address dhcp setroute

no shut

!

interface gig0/1

nameif inside

ip address x.x.x.x.x.x 255.255.x.x

no shut

!

Interface man0/0 or man1/1

nameif mgmt

ip address 192.168.100.1 255.255.255.0

no shut

!

now to get the ASDM up and running. you need to make sure your unit ASA does have a ASDM in it flash.

!

command is "dir"

asa# dir

Directory of disk0:/196 -rwx 26916144 20:39:54 Nov 06 2017 asdm-781-150.bin

asa(config)# asdm image disk0:/asdm-7121.bin

!

aaa authentication http console LOCAL

!

username admin password cisco123 privilege 15

!

once you apply these configration now plug your laptop into a managment port of the ASA and make sure you give you laptop the same ip address subnet the one you define in asa mangement port.

once this done open a web browser and type 192.168.100.x (ASA managment ip address) prior to this open cmd and ping the managment ip address of asa to make sure you can ping the asa. once web page is loaded accept the self signed certication and download the ASDM.

once the ASDM is downloaded you can configure the ASA according to your needes.

please do not forget to rate.

View solution in original post

Sheraz.Salim · ‎04-29-2021

This is more like a small project work itself. Seem like you do not have a skillset of firewall configuration. could you please confirm are you using the ASA code or the FTD code?

do you have a diagram of this work which is required to configure.

please do not forget to rate.

Dmitry.K85126 · ‎04-30-2021

Hi, Sheraz.Salim !
Thanks for reply. Sorry but I have no idea about the ASA code and the FTD code.
As I have understood they both refer to method of configuration ?
I prefer the graphic interface like web-browser pages.
Is it possible to make the configuration I need with web-browser only ?

I have no diagram of this work, but I can show something like that with following lines :

PC1,PC2,PC3 in Sub-Net_2----(GATE_2) -------Global Intranet -----[ MY ZONE ]
PC4 in Sub-Net_3 ----(GATE_3)---Global Intranet -----[ MY ZONE ]
PC5 in Sub-Net_4 ----(GATE_4)---Global Intranet -----[ MY ZONE ]

[ MY ZONE ] = (GATE_1, based on usial CISCO switch_1) - ASA5508 - CISCO switch_2 – some PLCs and PCs
PC1,,,PC3 must have the access to all network units in "MY ZONE".

PC4 must has the access to PLC1 in "MY ZONE" only

PC5 must has the access to PLC2 in "MY ZONE" only

All IPs of all PCs and PLCs are known.

Sheraz.Salim · ‎05-01-2021

Thanks for reply. Sorry but I have no idea about the ASA code and the FTD code.

- In order to get this correctly configured you need to confirm what you running on. Console to the unit with your laptop and tell us what the console show us. If you have a unit ASA5508-X it most probably running the ASA code.

As I have understood they both refer to method of configuration ?

- ASA and FTD are two different operation system. FTD is a unified a combination of ASA and Firewpower software.

I prefer the graphic interface like web-browser pages.

- ASDM is you best friend in that case

Is it possible to make the configuration I need with web-browser only ?

I have no diagram of this work, but I can show something like that with following lines :

PC1,PC2,PC3 in Sub-Net_2----(GATE_2) -------Global Intranet -----[ MY ZONE ]
PC4 in Sub-Net_3 ----(GATE_3)---Global Intranet -----[ MY ZONE ]
PC5 in Sub-Net_4 ----(GATE_4)---Global Intranet -----[ MY ZONE ]

[ MY ZONE ] = (GATE_1, based on usial CISCO switch_1) - ASA5508 - CISCO switch_2 – some PLCs and PCs
PC1,,,PC3 must have the access to all network units in "MY ZONE".

PC4 must has the access to PLC1 in "MY ZONE" only

PC5 must has the access to PLC2 in "MY ZONE" only

All IPs of all PCs and PLCs are known.

-Console to the unit. and do some basic configuration. do you want to run this firewall as transport mode or as firewall mode?

if you want to run the unit as firewall than.

!

hostname ASA

!

interface gig0/0

nameif outside

ip address dhcp setroute

no shut

!

interface gig0/1

nameif inside

ip address x.x.x.x.x.x 255.255.x.x

no shut

!

Interface man0/0 or man1/1

nameif mgmt

ip address 192.168.100.1 255.255.255.0

no shut

!

now to get the ASDM up and running. you need to make sure your unit ASA does have a ASDM in it flash.

!

command is "dir"

asa# dir

Directory of disk0:/196 -rwx 26916144 20:39:54 Nov 06 2017 asdm-781-150.bin

asa(config)# asdm image disk0:/asdm-7121.bin

!

aaa authentication http console LOCAL

!

username admin password cisco123 privilege 15

!

once you apply these configration now plug your laptop into a managment port of the ASA and make sure you give you laptop the same ip address subnet the one you define in asa mangement port.

once this done open a web browser and type 192.168.100.x (ASA managment ip address) prior to this open cmd and ping the managment ip address of asa to make sure you can ping the asa. once web page is loaded accept the self signed certication and download the ASDM.

once the ASDM is downloaded you can configure the ASA according to your needes.

please do not forget to rate.

Samer R. Saleem · ‎05-01-2021

Dmitry, this is a bit broad question, but let's start from basic as you requested.

1. you need to connect to the firewall, how?

a.console cable directly from your PC to firewall console interface and use putty or any available application.

b. SSH if you already done step 1 and added the management IP address

c. ASDM if you added the management IP and allowed ASDM

2. after you connected to firewall you need to do some basic steps like creating interfaces and security levels

3. decide if your two networks will reside on same interface and security levels or on different security levels

4. once step 3 was decided, then start adding network objects for the IP addresses of the hosts/networks and then start creating ACL that allow traffic between the two security levels

if they are on same security levels, then you need to allow same interface traffic option.

this is also a bit broad answer but hopefully will help!

Samer

Sheraz.Salim · ‎05-01-2021

I have no diagram of this work, but I can show something like that with following lines :

PC1,PC2,PC3 in Sub-Net_2----(GATE_2) -------Global Intranet -----[ MY ZONE ]
PC4 in Sub-Net_3 ----(GATE_3)---Global Intranet -----[ MY ZONE ]
PC5 in Sub-Net_4 ----(GATE_4)---Global Intranet -----[ MY ZONE ]

[ MY ZONE ] = (GATE_1, based on usial CISCO switch_1) - ASA5508 - CISCO switch_2 – some PLCs and PCs
PC1,,,PC3 must have the access to all network units in "MY ZONE".

PC4 must has the access to PLC1 in "MY ZONE" only

PC5 must has the access to PLC2 in "MY ZONE" only

PC1,PC2,PC3 in Sub-Net_2-
PC4 in Sub-Net_3
PC5 in Sub-Net_4 
does these PC are in different subnet?
if they are you can create a security-level zone accoring to your needs and setup the ACL to control the traffic.

create different zone for these subnets.

these are just example adjsut according to your needs

!

Interface x/x

nameif DMZ-1

security-level 90

ip address x.x.x.x.x 255.255.255.0

no shut

!

interface z/z

nameif DMZ-2

security-level 50

ip address z.z.z.z.z 255.255.255.0

no shut

!

access-group DMZ-1_IN in interface DMZ-1

access-list DMZ-1_IN extended permit ip x.x.x.x z.z.z.z.z.z

!

but having said that as long as you have ASDM access from GUI you can navigate and setup what is required for you requirment.

please do not forget to rate.