Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Setp by setp ASA 5505 configuration to inspect traffic

I,

I´m strugling with the correct steps to configure ASA to inspect traffic and allow only some traffic form inside to outside and outside to DMZ.

Correct my steps if necessary:

  1. Configure interfaces
    • IP addres
    • Nameif
    • Security Level
  2. Configure NAT
    • Translation from inside to outside
    • Trasnlation from inside to DMZ
    • Static translation from outside to DMZ
  3. Create ACLS
    • ACL to allow traffic from inside to outside
    • ACL to allow traffic from inside to DMZ
    • ACL to allow traffic form outside to DMZ
  4. Create Inspect policy
    1. Creat class map
    2. Create policy map
    3. Define de type of traffic to be inspected
    4. Associate the policy to the interface

After this I shoul ping and access http server from the outside of the network.

Rigth?

King Regards,

António

Everyone's tags (5)
1 ACCEPTED SOLUTION

Accepted Solutions
Community Member

Re: Setp by setp ASA 5505 configuration to inspect traffic

Hi,

First of all, the route that you have created is wrong. It should be a default route that points to an "ANY" destination and "ANY" destination's mask. For example, route outside 0 0 62.28.190.65.

Second, don't worry about the policy map at the moment because there is a default policy map configured already with most important protocols. Therefore, ICMP is inspect by default.

Third, test ICMP traffic between hosts not routers. Perhaps the ISP router is blocking an incoming ICMP packets to itself. This means you have to create an ACL that is applied to the ISP router to allow ICMP to itself. So, to save all these hassles, just add two hosts as mentioned.

If you insist to work with the routers, do a packet trace for me as shown below:

packet-trace input inside 8 0 , and post the result.

Regards,

AM

7 REPLIES
Community Member

Re: Setp by setp ASA 5505 configuration to inspect traffic

  1. Configure interfaces
    • IP addres
    • Nameif
    • Security Level


Correct.

The  firewall is a Layer 3 device like any L3 device. Therefore, before it  can route or allow any traffic, interface information must be defined.  Very basic. By default, Inside interface is assigned sec. level of 100  and Outside interface is assigned sec. level of 0. You do not actually  need to define security levels unless you're assigning custom levels.

2. Configure NAT

    • Translation from inside to outside
    • Trasnlation from inside to DMZ
    • Static translation from outside to DMZ


The first point is a correct step. Consider dynamic NAT for internal users.

The second point is correct. However, you use identity NAT translation and no need to define static or dynamic translaton. Why? because  after all you are using RFC 1918 private IP addresses in both the inside and DMZ networks.

The third point is incorrect direction. If you want to make a DMZ server to be accessible from the outside, the static translation shoud be from DMZ to Outside. In very rare cases, translation from Outside to DMZ is used.


3. Create ACLS

    • ACL to allow traffic from inside to outside
    • ACL to allow traffic from inside to DMZ
    • ACL to allow traffic form outside to DMZ

 

The first point is correct IF you want to restrict traffic from inside to outside. Because all types of traffic from inside to outside are allowed based on the default security level of the outside interface, no need to apply any ACL on the inside.  interface. Restricting users traffic is a good practice, however, do no forget to allow the necessary services that the users need to surf the internet. For example, http, https, dns. The common mistake the administrators do is, allowing only http (thinking that this is enough to allow internet access) and forgetting  DNS. Almost all the internet workings are based on DNS name resolutions. Without it, "page cannot be displayed", said Firefox.

The second point is not needed. As mentioned, traffic is allowed from inside to dmz without any ACL because it is the higher sec.level interface.

The third point is correct. Make sure to allow only the needed services from outside to dmz and not more.


4. Create Inspect policy

  1. Creat class map
  2. Create policy map
  3. Define de type of traffic to be inspected
  4. Associate the policy to the interface

    The third point is part of the first point and not an independent step.

    So, here is the correct order:

    1. Create a class map to  define a type of traffic to be inspected. You can use the "match"  keyword to define a traffic by protcol name or by ACL.

    2. Create a policy map to define the class map that is created in the first step and configure actions on the defined traffic.

    3. Apply the policy map globally or on an interface.

    Regards,

    AM

    Community Member

    Re: Setp by setp ASA 5505 configuration to inspect traffic

    Hi AM,

    After some time i discovered that the commands for this 8.4 version are different from some I used to configure my lab.

    Thhis is my lab:

    I made this config to my emulated ASA with 8.4 of IOS version:

    ASA Version 8.4(2)

    hostname ciscoasa

    !

    interface GigabitEthernet0

    nameif outside

    security-level 0

    ip address 62.28.190.66 255.255.255.252

    !

    interface GigabitEthernet1

    nameif management

    security-level 0

    ip address 10.0.0.2 255.255.255.0

    !

    interface GigabitEthernet2

    shutdown

    no nameif

    no security-level

    no ip address

    !

    interface GigabitEthernet3

    nameif dmz

    security-level 70

    ip address 192.168.100.254 255.255.255.0

    !

    interface GigabitEthernet4

    nameif inside

    security-level 100

    ip address 192.168.200.1 255.255.255.0

    !

    interface GigabitEthernet5

    shutdown

    no nameif

    no security-level

    no ip address

    !

    no ftp mode passive

    object network Net-Inside

    subnet 192.168.200.0 255.255.255.0

    !

    object network Net-Inside

    nat (inside,outside) dynamic interface

    route outside 10.0.0.0 255.255.255.0 62.28.190.65 1

    dynamic-access-policy-record DfltAccessPolicy

    http server enable

    no snmp-server location

    no snmp-server contact

    telnet timeout 5

    ssh timeout 5

    console timeout 0

    no threat-detection basic-threat

    no threat-detection statistics access-list

    no threat-detection statistics tcp-intercept

    !

    class-map inspection_default

    match default-inspection-traffic

    !

    !

    policy-map type inspect dns preset_dns_map

    parameters

      message-length maximum client auto

      message-length maximum 512

    policy-map global_policy

    class inspection_default

      inspect dns preset_dns_map

      inspect ftp

      inspect h323 h225

      inspect h323 ras

      inspect ip-options

      inspect netbios

      inspect rsh

      inspect rtsp

      inspect skinny 

      inspect esmtp

      inspect sqlnet

      inspect sunrpc

      inspect tftp

      inspect sip 

      inspect xdmcp

      inspect icmp

    !

    service-policy global_policy global

    prompt hostname context

    no call-home reporting anonymous

    call-home

    profile CiscoTAC-1

      no active

      destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

      destination address email callhome@cisco.com

      destination transport-method http

      subscribe-to-alert-group diagnostic

      subscribe-to-alert-group environment

      subscribe-to-alert-group inventory periodic monthly

      subscribe-to-alert-group configuration periodic monthly

      subscribe-to-alert-group telemetry periodic daily

    crashinfo save disable

    Cryptochecksum:9b048dee7f8788f1213edff7a0cf7990

    : end

    After this configuration its suposed I can ping ISP router from the inside router, rigth? Also as the DMZ router?

    As you said :"

    The second point is not needed. As mentioned, traffic is allowed from inside to dmz without any ACL because it is the higher sec.level interface.

    "

    Can you give me a tip?

    King Regards,

    AS

    Community Member

    Re: Setp by setp ASA 5505 configuration to inspect traffic

    Hi,

    Yes, NAT commands have changed beginning with 8.3 and later.

    Notice that 192.168.200.1 is assigned to both the ASA and the router in the diagram.  (ALARM: IP Conflict)

    Generally, when you test NAT translations throught the ASA, try to initiate traffic between two hosts rather than between routers. Therefore, add two hosts: one behind the inside router and one behind the ISP router.

    About the DMZ, you missed to add an identity NAT from inside to dmz.

    object network ident_NAT

    host 192.168.200.3

    nat (inside,dmz) static 192.168.200.3

    Regards,

    AM

    Community Member

    Re: Setp by setp ASA 5505 configuration to inspect traffic

    Hi,

    Thank you for helpping me.

    About the Ips its just in the graphic, becouse the config its fine.

    Man, my problem is mutch more strange. The traffic from inside to outside with the NAT, the default route and de policy map weel configure should let me pass the icmp. correct?

    Kind Regards,

    AS

    Community Member

    Re: Setp by setp ASA 5505 configuration to inspect traffic

    Hi,

    First of all, the route that you have created is wrong. It should be a default route that points to an "ANY" destination and "ANY" destination's mask. For example, route outside 0 0 62.28.190.65.

    Second, don't worry about the policy map at the moment because there is a default policy map configured already with most important protocols. Therefore, ICMP is inspect by default.

    Third, test ICMP traffic between hosts not routers. Perhaps the ISP router is blocking an incoming ICMP packets to itself. This means you have to create an ACL that is applied to the ISP router to allow ICMP to itself. So, to save all these hassles, just add two hosts as mentioned.

    If you insist to work with the routers, do a packet trace for me as shown below:

    packet-trace input inside 8 0 , and post the result.

    Regards,

    AM

    Community Member

    Re: Setp by setp ASA 5505 configuration to inspect traffic

    Turbo_Engine,

    I corrected the problem.

    I used the command packet trace as u sugest.

    The problem was on routing tables of the routers.

    Many thanks man for helping me.

    Kind Regrads.

    Community Member

    Re: Setp by setp ASA 5505 configuration to inspect traffic

    Hi,

    Glad to hear that it is working for you

    Do not hesitate to ask further questions.

    Regards,

    AM

    1595
    Views
    5
    Helpful
    7
    Replies
    CreatePlease to create content