03-05-2014 11:59 AM - edited 03-11-2019 08:54 PM
Hello
I am partitioning off my guest wireless traffic out a new connection.
I have a WISM and a 5508 controller. The WISM will anchor the subnets to the specific controller.
AP - WISM - 5508 - FW - Cable link - Internet
Can anyone assist in implementing a base config so only traffic originating inside can get out, nothing from outside getting in.
The external link will be via cable and I want to configure their static on my outside int,
Where would be the best place to ratelimit the subnet(s)?
sMc
Solved! Go to Solution.
03-05-2014 01:02 PM
This is a very basic setup that you can do, just change interface number, name and IP, and NAT as needed:
int gig0/1
description INSIDE interface
security-level 100
nameif inside
ip add 172.16.1.1 255.255.255.0
no shut
int gig0/2
description OUTSIDE interface
security-level 0
nameif outside
ip add 191.1.1.1 255.255.255.252
no shut
object network LAN
subnet 172.16.1.0 255.255.255.0
nat (inside,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 191.1.1.2
Traffic is permitted from a higher security level to a lower security level by default. A lower security level to higher security level is not permitted. Once you apply an ACL to the interface the security levels have no meaning any more...until the ACL is removed that is. So for a basic setup allowing only traffic from inside to outside you do not need any ACLs.
Keep in mind that the nat statement should be configured while you are under the LAN network object.
--
Please remember to rate and select a correct answer
03-05-2014 01:15 PM
ah you are running 8.2.
then it would be like this:
global (outside) 1 interface
nat (inside) 1 172.16.1.0 255.255.255.0
--
Please remember to rate and select a correct answer
03-05-2014 01:27 PM
Really depends what you are trying to do, but this setup is basic but it is secure when considering connections from the internet. No one can initiate a connection from the internet to your internal network. Only your internal network can initiate traffic.
Of course if you want to make your internal network a little more secure you can add an ACL to the inside interface only permitting your specific subnet to initiate traffic to the internet or anywhere else for that matter.
Also, there is the case of managing the ASA, this should only be allowed from a specific subnet or IP on your inside interface. If you want to manage the ASA from the internet you would need to connect to a VPN and then manage the ASA from that connection. HTTPS and SSH connections to a interface with a security level of 0 is not permitted.
To do this you would need to add config similar to the following:
access-list LAN extended permit ip 172.16.1.0 255.255.255.0 any
access-group LAN in interface inside
crypto key generate rsa modulus 2048
ssh 172.16.1.10 255.255.255.255 inside
asdm image
http server enable
http 172.16.1.10 255.255.255.255 inside
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
--
Please remember to rate and select a correct answer
03-05-2014 01:43 PM
ip access-list 10 permit ip 172.16.16.0 255.255.255.0 eq 80
ip access-list 10 permit ip 172.16.16.0 255.255.255.0 eq 443
These are router configurations and would not work on the ASA. To do this the ACL config would need to look like this:
access-list LAN extended permit ip 172.16.16.0 255.255.255.0 any eq 80
access-list LAN extended permit ip 172.16.16.0 255.255.255.0 any eq 443
access-group LAN in interface inside
Keep in mind that you can change the ACL name (LAN) to anything you want it to be. You could apply the ACL in the outbound direction but this is very unusual to do on the ASA and I do not suggest doing it unless you have a specific reason for doing so.
Also, to make sure this subnet has no access to inside services, what would be needed?
Not exactly sure where you are going with this. Is this subnet also located on the inside interface? or on a different interface?
If it is located on a different interface, then all you have to do is either give it a lower security level than that of the inside interface (lets say 90 for example), or add an ACL that denies traffic to the inside network subnet and then under that rule have an entery permitting traffic to any.
Keep in mind that the ACLs are checked top to bottom and there is an implicit deny any rule at the bottom of all ACLs. If this ASA is version 8.3 or higher the implicit deny can be seen in the global ACL in the ASDM.
--
Please remember to rate and select a correct answer
03-05-2014 01:53 PM
OK, how do you plan or connecting these subnets to the ASA? will there be a router behind the ASA that routes these subnets to the ASA or will there be VLANs that connect to the ASA? Will the ASA be routing between these subnets?
Depending on how your subnets are allocated you might be able to summarize some of the subnets.
--
Please remember to rate and select a correct answer
03-05-2014 02:04 PM
So the ASA will be doing the routing. Then you will need to create subinterfaces on the ASA to accomodate the VLANs...there are other options but that could end up becoming very complicated.
--
Please remember to rate and select a correct answer
03-05-2014 02:24 PM
Have you subneted the network or are they all located on the /21 network? If they are all in the same network (all have the same subnet mask) then no you do not have to create sub-interfaces.
But then you will also run into the issue that traffic will not go through the ASA when going between the hosts as they will all be seen as being part of the same network and the switches will just forward traffic accordingly.
--
Please remember to rate and select a correct answer
03-05-2014 11:40 PM
If they will all be part of the /21 network then the ASA will never see traffic that goes between the hosts. That means that any resrtictions for access would need to be configured on the hosts themselves.
As for AAA, you would only configure this for managemt of the ASA. So if you will be using the local user database on the ASA for management then the AAA commands I provided in an earlier post would be enough for access to the ASA.
03-06-2014 08:25 AM
Sorry my bad, you need to add tcp instead of ip:
Access-list LAN extended permit tcp 172.16.16.0 255.255.255.0 any eq 80
03-05-2014 12:06 PM
Followup
I want to PAT all internal addresses to the static given by ISP
sMc
03-05-2014 12:23 PM
ANother detail
DHCP pool will be configured on the 5508
sMc
03-05-2014 01:02 PM
This is a very basic setup that you can do, just change interface number, name and IP, and NAT as needed:
int gig0/1
description INSIDE interface
security-level 100
nameif inside
ip add 172.16.1.1 255.255.255.0
no shut
int gig0/2
description OUTSIDE interface
security-level 0
nameif outside
ip add 191.1.1.1 255.255.255.252
no shut
object network LAN
subnet 172.16.1.0 255.255.255.0
nat (inside,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 191.1.1.2
Traffic is permitted from a higher security level to a lower security level by default. A lower security level to higher security level is not permitted. Once you apply an ACL to the interface the security levels have no meaning any more...until the ACL is removed that is. So for a basic setup allowing only traffic from inside to outside you do not need any ACLs.
Keep in mind that the nat statement should be configured while you are under the LAN network object.
--
Please remember to rate and select a correct answer
03-05-2014 01:13 PM
Marius
Thank you for the response.
I am having trouble getting the NAT statement to work
"Keep in mind that the nat statement should be configured while you are under the LAN network object"
There is no NAT option
Cisco Adaptive Security Appliance Software Version 8.2(5)
Please advise.
sMc
03-05-2014 01:15 PM
ah you are running 8.2.
then it would be like this:
global (outside) 1 interface
nat (inside) 1 172.16.1.0 255.255.255.0
--
Please remember to rate and select a correct answer
03-05-2014 01:19 PM
Marius
"very cool", thank you!
Are there any other considerations that would "tighten this config up"?
sMc
03-05-2014 01:27 PM
Really depends what you are trying to do, but this setup is basic but it is secure when considering connections from the internet. No one can initiate a connection from the internet to your internal network. Only your internal network can initiate traffic.
Of course if you want to make your internal network a little more secure you can add an ACL to the inside interface only permitting your specific subnet to initiate traffic to the internet or anywhere else for that matter.
Also, there is the case of managing the ASA, this should only be allowed from a specific subnet or IP on your inside interface. If you want to manage the ASA from the internet you would need to connect to a VPN and then manage the ASA from that connection. HTTPS and SSH connections to a interface with a security level of 0 is not permitted.
To do this you would need to add config similar to the following:
access-list LAN extended permit ip 172.16.1.0 255.255.255.0 any
access-group LAN in interface inside
crypto key generate rsa modulus 2048
ssh 172.16.1.10 255.255.255.255 inside
asdm image
http server enable
http 172.16.1.10 255.255.255.255 inside
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
--
Please remember to rate and select a correct answer
03-05-2014 01:34 PM
Maruis
So
ip access-list 10 permit ip 172.16.16.0 255.255.255.0 eq 80
ip access-list 10 permit ip 172.16.16.0 255.255.255.0 eq 443
Then apply this to the inside interface in/out, would only allow that subnet to originate traffic?
Also, to make sure this subnet has no access to inside services, what would be needed?
sMc
03-05-2014 01:43 PM
ip access-list 10 permit ip 172.16.16.0 255.255.255.0 eq 80
ip access-list 10 permit ip 172.16.16.0 255.255.255.0 eq 443
These are router configurations and would not work on the ASA. To do this the ACL config would need to look like this:
access-list LAN extended permit ip 172.16.16.0 255.255.255.0 any eq 80
access-list LAN extended permit ip 172.16.16.0 255.255.255.0 any eq 443
access-group LAN in interface inside
Keep in mind that you can change the ACL name (LAN) to anything you want it to be. You could apply the ACL in the outbound direction but this is very unusual to do on the ASA and I do not suggest doing it unless you have a specific reason for doing so.
Also, to make sure this subnet has no access to inside services, what would be needed?
Not exactly sure where you are going with this. Is this subnet also located on the inside interface? or on a different interface?
If it is located on a different interface, then all you have to do is either give it a lower security level than that of the inside interface (lets say 90 for example), or add an ACL that denies traffic to the inside network subnet and then under that rule have an entery permitting traffic to any.
Keep in mind that the ACLs are checked top to bottom and there is an implicit deny any rule at the bottom of all ACLs. If this ASA is version 8.3 or higher the implicit deny can be seen in the global ACL in the ASDM.
--
Please remember to rate and select a correct answer
03-05-2014 01:48 PM
Marius
Thanks again for you guidance.
"Is this subnet also located on the inside interface?
Yes the inside int is in the same subnet as the nat pool
"or add an ACL that denies traffic to the inside network subnet"
There are many subnets inside, that acl could be extensive
sMc
03-05-2014 01:53 PM
OK, how do you plan or connecting these subnets to the ASA? will there be a router behind the ASA that routes these subnets to the ASA or will there be VLANs that connect to the ASA? Will the ASA be routing between these subnets?
Depending on how your subnets are allocated you might be able to summarize some of the subnets.
--
Please remember to rate and select a correct answer
03-05-2014 01:59 PM
Marius
The topology will lok like:
AP > WISM > 5508 (Subnet/DHCP server created here) > ASA > ISP link
sMc
03-05-2014 02:04 PM
So the ASA will be doing the routing. Then you will need to create subinterfaces on the ASA to accomodate the VLANs...there are other options but that could end up becoming very complicated.
--
Please remember to rate and select a correct answer
03-05-2014 02:18 PM
The Subnet has the following:
172.16.10.20 - 172.16.14.254 _ the first 20 aqre for statics
172.16.10.0 255.255.248.0
Would I still need to create a sub-int?
sMc
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: