09-01-2013 05:54 AM - edited 03-11-2019 07:32 PM
I,
I´m strugling with the correct steps to configure ASA to inspect traffic and allow only some traffic form inside to outside and outside to DMZ.
Correct my steps if necessary:
After this I shoul ping and access http server from the outside of the network.
Rigth?
King Regards,
António
Solved! Go to Solution.
09-02-2013 01:56 PM
Hi,
First of all, the route that you have created is wrong. It should be a default route that points to an "ANY" destination and "ANY" destination's mask. For example, route outside 0 0 62.28.190.65.
Second, don't worry about the policy map at the moment because there is a default policy map configured already with most important protocols. Therefore, ICMP is inspect by default.
Third, test ICMP traffic between hosts not routers. Perhaps the ISP router is blocking an incoming ICMP packets to itself. This means you have to create an ACL that is applied to the ISP router to allow ICMP to itself. So, to save all these hassles, just add two hosts as mentioned.
If you insist to work with the routers, do a packet trace for me as shown below:
packet-trace input inside
Regards,
AM
09-01-2013 07:42 AM
- Configure interfaces
- IP addres
- Nameif
- Security Level
Correct.
The firewall is a Layer 3 device like any L3 device. Therefore, before it can route or allow any traffic, interface information must be defined. Very basic. By default, Inside interface is assigned sec. level of 100 and Outside interface is assigned sec. level of 0. You do not actually need to define security levels unless you're assigning custom levels.
2. Configure NAT
- Translation from inside to outside
- Trasnlation from inside to DMZ
- Static translation from outside to DMZ
The first point is a correct step. Consider dynamic NAT for internal users.
The second point is correct. However, you use identity NAT translation and no need to define static or dynamic translaton. Why? because after all you are using RFC 1918 private IP addresses in both the inside and DMZ networks.
The third point is incorrect direction. If you want to make a DMZ server to be accessible from the outside, the static translation shoud be from DMZ to Outside. In very rare cases, translation from Outside to DMZ is used.
3. Create ACLS
- ACL to allow traffic from inside to outside
- ACL to allow traffic from inside to DMZ
- ACL to allow traffic form outside to DMZ
The first point is correct IF you want to restrict traffic from inside to outside. Because all types of traffic from inside to outside are allowed based on the default security level of the outside interface, no need to apply any ACL on the inside. interface. Restricting users traffic is a good practice, however, do no forget to allow the necessary services that the users need to surf the internet. For example, http, https, dns. The common mistake the administrators do is, allowing only http (thinking that this is enough to allow internet access) and forgetting DNS. Almost all the internet workings are based on DNS name resolutions. Without it, "page cannot be displayed", said Firefox.
The second point is not needed. As mentioned, traffic is allowed from inside to dmz without any ACL because it is the higher sec.level interface.
The third point is correct. Make sure to allow only the needed services from outside to dmz and not more.
4. Create Inspect policy
- Creat class map
- Create policy map
- Define de type of traffic to be inspected
- Associate the policy to the interface
The third point is part of the first point and not an independent step.
So, here is the correct order:
1. Create a class map to define a type of traffic to be inspected. You can use the "match" keyword to define a traffic by protcol name or by ACL.
2. Create a policy map to define the class map that is created in the first step and configure actions on the defined traffic.
3. Apply the policy map globally or on an interface.
Regards,
AM
09-01-2013 04:13 PM
Hi AM,
After some time i discovered that the commands for this 8.4 version are different from some I used to configure my lab.
Thhis is my lab:
I made this config to my emulated ASA with 8.4 of IOS version:
ASA Version 8.4(2)
hostname ciscoasa
!
interface GigabitEthernet0
nameif outside
security-level 0
ip address 62.28.190.66 255.255.255.252
!
interface GigabitEthernet1
nameif management
security-level 0
ip address 10.0.0.2 255.255.255.0
!
interface GigabitEthernet2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet3
nameif dmz
security-level 70
ip address 192.168.100.254 255.255.255.0
!
interface GigabitEthernet4
nameif inside
security-level 100
ip address 192.168.200.1 255.255.255.0
!
interface GigabitEthernet5
shutdown
no nameif
no security-level
no ip address
!
no ftp mode passive
object network Net-Inside
subnet 192.168.200.0 255.255.255.0
!
object network Net-Inside
nat (inside,outside) dynamic interface
route outside 10.0.0.0 255.255.255.0 62.28.190.65 1
dynamic-access-policy-record DfltAccessPolicy
http server enable
no snmp-server location
no snmp-server contact
telnet timeout 5
ssh timeout 5
console timeout 0
no threat-detection basic-threat
no threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:9b048dee7f8788f1213edff7a0cf7990
: end
After this configuration its suposed I can ping ISP router from the inside router, rigth? Also as the DMZ router?
As you said :"
The second point is not needed. As mentioned, traffic is allowed from inside to dmz without any ACL because it is the higher sec.level interface.
"
Can you give me a tip?
King Regards,
AS
09-02-2013 05:56 AM
Hi,
Yes, NAT commands have changed beginning with 8.3 and later.
Notice that 192.168.200.1 is assigned to both the ASA and the router in the diagram. (ALARM: IP Conflict)
Generally, when you test NAT translations throught the ASA, try to initiate traffic between two hosts rather than between routers. Therefore, add two hosts: one behind the inside router and one behind the ISP router.
About the DMZ, you missed to add an identity NAT from inside to dmz.
object network ident_NAT
host 192.168.200.3
nat (inside,dmz) static 192.168.200.3
Regards,
AM
09-02-2013 09:14 AM
Hi,
Thank you for helpping me.
About the Ips its just in the graphic, becouse the config its fine.
Man, my problem is mutch more strange. The traffic from inside to outside with the NAT, the default route and de policy map weel configure should let me pass the icmp. correct?
Kind Regards,
AS
09-02-2013 01:56 PM
Hi,
First of all, the route that you have created is wrong. It should be a default route that points to an "ANY" destination and "ANY" destination's mask. For example, route outside 0 0 62.28.190.65.
Second, don't worry about the policy map at the moment because there is a default policy map configured already with most important protocols. Therefore, ICMP is inspect by default.
Third, test ICMP traffic between hosts not routers. Perhaps the ISP router is blocking an incoming ICMP packets to itself. This means you have to create an ACL that is applied to the ISP router to allow ICMP to itself. So, to save all these hassles, just add two hosts as mentioned.
If you insist to work with the routers, do a packet trace for me as shown below:
packet-trace input inside
Regards,
AM
09-02-2013 01:59 PM
Turbo_Engine,
I corrected the problem.
I used the command packet trace as u sugest.
The problem was on routing tables of the routers.
Many thanks man for helping me.
Kind Regrads.
09-02-2013 02:03 PM
Hi,
Glad to hear that it is working for you
Do not hesitate to ask further questions.
Regards,
AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide