Basics Configuration of ASA 8.4 with the new NAT using object-group:
-Configure the outside interface with the default security level of 0:
ciscoasa(config)# int g0
ciscoasa(config-if)# ip add
ciscoasa(config-if)# ip address 209.165.200.226 255.255.255.248
ciscoasa(config-if)# namei
ciscoasa(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
ciscoasa(config-if)# no shutdown
-Configure the inside interface with the default security level of 100:
ciscoasa(config-if)# int g1
ciscoasa(config-if)# ip address 192.168.1.1 255.255.255.0
ciscoasa(config-if)# nameif insi
ciscoasa(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ciscoasa(config-if)# no shutdown
-Configure the DMZ interface with the security level of 70:
ciscoasa(config-if)# int g2
ciscoasa(config-if)# ip address 192.168.2.1 255.255.255.0
ciscoasa(config-if)# security-level 70
ciscoasa(config-if)# nameif DMZ
ciscoasa(config-if)# no shutdown
-Configure the privileged EXEC password:
ciscoasa(config)# enable password cisco
-Create a Telnet / SSH password:
ciscoasa(config)# password cisco
-Identify which inside host can connect to the ASA using Telnet:
ciscoasa(config)# telnet 192.168.1.10 255.255.255.255 inside
-Create a local database entry:
ciscoasa(config)# username admin password cisco
-Identify which inside host can connect to the ASA using SSH:
ciscoasa(config)# ssh 192.168.1.10 255.255.255.255 inside
-Enable the HTTP server and Identify which inside host can connect to the ASA using HTTP:
ciscoasa(config)# http server enable
ciscoasa(config)# http 192.168.1.10 255.255.255.255 in
ciscoasa(config)# http 192.168.1.10 255.255.255.255 inside
-Configure a default route toward the outside zone:
ciscoasa(config)# route outside 0.0.0.0 0.0.0.0 209.165.200.225
-Ping the router R1:
ciscoasa(config)# ping 209.165.200.225
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 209.165.200.225, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/14/40 ms
ciscoasa(config)#
-Configuration of Dynamic and Static NAT:
.Translate inside users to a public pool and permit outside users access to Server DMZ.
.Create the public pool network object called NAT-POOL.Assign the outside public pool IP addresses.
.Create the Dynamic NAT object called NAT.Identify the inside hosts to translate from.Dynamically translate traffic inside users to the NAT-POOL network object.
ciscoasa(config)# object network NAT-POOL
ciscoasa(config-network-object)# range
ciscoasa(config-network-object)# range 209.165.200.240 209.165.200.246
ciscoasa(config-network-object)# exi
ciscoasa(config)# obkect
ciscoasa(config)# object net
ciscoasa(config)# object network NAT
ciscoasa(config-network-object)# subnet 192.168.1.0 255.255.255.0
ciscoasa(config-network-object)# nat (inside,out
ciscoasa(config-network-object)# nat (inside,outside) dyn
ciscoasa(config-network-object)# nat (inside,outside) dynamic NAT-POOL
-Create the static NAT network object called DMZ-NAT.Identify the inside SERVER IP address.Statically map the public IP address to the identified SERVER address.
-Create an ACL called OUTSIDE-to-SERVER permitting outside users to access the DMZ SERVER.Apply the ACL to the outside interface.
ciscoasa(config)# object network DMZ-NAT
ciscoasa(config-network-object)# host
ciscoasa(config-network-object)# host 192.168.2.3
ciscoasa(config-network-object)# nat
ciscoasa(config-network-object)# nat (DMZ,ou
ciscoasa(config-network-object)# nat (DMZ,outside) sta
ciscoasa(config-network-object)# nat (DMZ,outside) static 209.200.165.227
ciscoasa(config-network-object)# exi
ciscoasa(config)# access
ciscoasa(config)# access-list
ciscoasa(config)# access-list OUTSIDE-to-SERVER per
ciscoasa(config)# access-list OUTSIDE-to-SERVER permit ip an
ciscoasa(config)# access-list OUTSIDE-to-SERVER permit ip any hos
ciscoasa(config)# access-list OUTSIDE-to-SERVER permit ip any host 192.168.2.3
ciscoasa(config)# access
ciscoasa(config)# access-gr
ciscoasa(config)# access-group OUTSIDE-to-SERVER in in
ciscoasa(config)# access-group OUTSIDE-to-SERVER in interface ou
ciscoasa(config)# access-group OUTSIDE-to-SERVER in interface outside
1-Make sure we have connectivity to the ASA first:
-Ping from the Inside_Host to ASA:
C:\Documents and Settings\Administrator>ping 192.168.1.1
Pinging 192.168.1.1 with 32 bytes of data:
Reply from 192.168.1.1: bytes=32 time=5ms TTL=255
Reply from 192.168.1.1: bytes=32 time=1ms TTL=255
Reply from 192.168.1.1: bytes=32 time=3ms TTL=255
Reply from 192.168.1.1: bytes=32 time=3ms TTL=255
Ping statistics for 192.168.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 5ms, Average = 3ms
C:\Documents and Settings\Administrator>
-Ping from Server to ASA:
C:\Users\user>ping 192.168.2.1
Pinging 192.168.2.1 with 32 bytes of data:
Reply from 192.168.2.1: bytes=32 time=5ms TTL=255
Reply from 192.168.2.1: bytes=32 time=1ms TTL=255
Reply from 192.168.2.1: bytes=32 time=3ms TTL=255
Reply from 192.168.2.1: bytes=32 time=3ms TTL=255
Ping statistics for 192.168.2.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 5ms, Average = 3ms
C:\Users\user>
-Ping from Outside_Host to ASA:
C:\Documents and Settings\Administrator>ping 209.165.200.226
Pinging 209.165.200.226 with 32 bytes of data:
Reply from 209.165.200.226: bytes=32 time=18ms TTL=254
Reply from 209.165.200.226: bytes=32 time=17ms TTL=254
Reply from 209.165.200.226: bytes=32 time=13ms TTL=254
Reply from 209.165.200.226: bytes=32 time=17ms TTL=254
Ping statistics for 209.165.200.226:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 13ms, Maximum = 18ms, Average = 16ms
2-Other Pings:
-Ping from Inside_Host to Outside_Host:
C:\Documents and Settings\Administrator>ping 10.1.1.10
Pinging 10.1.1.10 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 10.1.1.10:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
-Ping From Server to Outside_Host:
C:\Users\user>ping 10.1.1.10
Pinging 10.1.1.10 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 10.1.1.10:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
The default MPF ((modular policy framework)of ASA does not allow icmp echo-replies back through the firewall on the outside interface. .
A fixup protocol icmp is a good way to fix it.It adds the stateful inspection feature for the ICMP protocol to the default-inspection-traffic class map referenced in the global_policy policy map.
ciscoasa(config)# fixup protocol icmp
INFO: converting 'fixup protocol icmp ' to MPF commands
Let's verify the policy:
it’s now added to the list
ciscoasa# sh run policy-map
!
policy-map global_policy
class inspection_default
inspect icmp
inspect icmp error
The ping works:
-Ping from Inside_Host to Outside_Host:
C:\Documents and Settings\Administrator>ping 10.1.1.10
Pinging 10.1.1.10 with 32 bytes of data:
Reply from 10.1.1.10: bytes=32 time=22ms TTL=127
Reply from 10.1.1.10: bytes=32 time=22ms TTL=127
Reply from 10.1.1.10: bytes=32 time=13ms TTL=127
Reply from 10.1.1.10: bytes=32 time=25ms TTL=127
Ping statistics for 10.1.1.10:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 13ms, Maximum = 25ms, Average = 20ms
-Ping From Server to Outside_Host:
C:\Users\user>ping 10.1.1.10
Pinging 10.1.1.10 with 32 bytes of data:
Reply from 10.1.1.10: bytes=32 time=16ms TTL=127
Reply from 10.1.1.10: bytes=32 time=22ms TTL=127
Reply from 10.1.1.10: bytes=32 time=22ms TTL=127
Reply from 10.1.1.10: bytes=32 time=18ms TTL=127
Ping statistics for 10.1.1.10:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 16ms, Maximum = 22ms, Average = 19ms
ciscoasa(config)# int g0
ciscoasa(config-if)# ip add
ciscoasa(config-if)# ip address 209.165.200.226 255.255.255.248
ciscoasa(config-if)# namei
ciscoasa(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
ciscoasa(config-if)# no shutdown
-Configure the inside interface with the default security level of 100:
ciscoasa(config-if)# int g1
ciscoasa(config-if)# ip address 192.168.1.1 255.255.255.0
ciscoasa(config-if)# nameif insi
ciscoasa(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ciscoasa(config-if)# no shutdown
-Configure the DMZ interface with the security level of 70:
ciscoasa(config-if)# int g2
ciscoasa(config-if)# ip address 192.168.2.1 255.255.255.0
ciscoasa(config-if)# security-level 70
ciscoasa(config-if)# nameif DMZ
ciscoasa(config-if)# no shutdown
-Configure the privileged EXEC password:
ciscoasa(config)# enable password cisco
-Create a Telnet / SSH password:
ciscoasa(config)# password cisco
-Identify which inside host can connect to the ASA using Telnet:
ciscoasa(config)# telnet 192.168.1.10 255.255.255.255 inside
-Create a local database entry:
ciscoasa(config)# username admin password cisco
-Identify which inside host can connect to the ASA using SSH:
ciscoasa(config)# ssh 192.168.1.10 255.255.255.255 inside
-Enable the HTTP server and Identify which inside host can connect to the ASA using HTTP:
ciscoasa(config)# http server enable
ciscoasa(config)# http 192.168.1.10 255.255.255.255 in
ciscoasa(config)# http 192.168.1.10 255.255.255.255 inside
-Configure a default route toward the outside zone:
ciscoasa(config)# route outside 0.0.0.0 0.0.0.0 209.165.200.225
-Ping the router R1:
ciscoasa(config)# ping 209.165.200.225
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 209.165.200.225, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/14/40 ms
ciscoasa(config)#
-Configuration of Dynamic and Static NAT:
.Translate inside users to a public pool and permit outside users access to Server DMZ.
.Create the public pool network object called NAT-POOL.Assign the outside public pool IP addresses.
.Create the Dynamic NAT object called NAT.Identify the inside hosts to translate from.Dynamically translate traffic inside users to the NAT-POOL network object.
ciscoasa(config)# object network NAT-POOL
ciscoasa(config-network-object)# range
ciscoasa(config-network-object)# range 209.165.200.240 209.165.200.246
ciscoasa(config-network-object)# exi
ciscoasa(config)# obkect
ciscoasa(config)# object net
ciscoasa(config)# object network NAT
ciscoasa(config-network-object)# subnet 192.168.1.0 255.255.255.0
ciscoasa(config-network-object)# nat (inside,out
ciscoasa(config-network-object)# nat (inside,outside) dyn
ciscoasa(config-network-object)# nat (inside,outside) dynamic NAT-POOL
-Create the static NAT network object called DMZ-NAT.Identify the inside SERVER IP address.Statically map the public IP address to the identified SERVER address.
-Create an ACL called OUTSIDE-to-SERVER permitting outside users to access the DMZ SERVER.Apply the ACL to the outside interface.
ciscoasa(config)# object network DMZ-NAT
ciscoasa(config-network-object)# host
ciscoasa(config-network-object)# host 192.168.2.3
ciscoasa(config-network-object)# nat
ciscoasa(config-network-object)# nat (DMZ,ou
ciscoasa(config-network-object)# nat (DMZ,outside) sta
ciscoasa(config-network-object)# nat (DMZ,outside) static 209.200.165.227
ciscoasa(config-network-object)# exi
ciscoasa(config)# access
ciscoasa(config)# access-list
ciscoasa(config)# access-list OUTSIDE-to-SERVER per
ciscoasa(config)# access-list OUTSIDE-to-SERVER permit ip an
ciscoasa(config)# access-list OUTSIDE-to-SERVER permit ip any hos
ciscoasa(config)# access-list OUTSIDE-to-SERVER permit ip any host 192.168.2.3
ciscoasa(config)# access
ciscoasa(config)# access-gr
ciscoasa(config)# access-group OUTSIDE-to-SERVER in in
ciscoasa(config)# access-group OUTSIDE-to-SERVER in interface ou
ciscoasa(config)# access-group OUTSIDE-to-SERVER in interface outside
1-Make sure we have connectivity to the ASA first:
-Ping from the Inside_Host to ASA:
C:\Documents and Settings\Administrator>ping 192.168.1.1
Pinging 192.168.1.1 with 32 bytes of data:
Reply from 192.168.1.1: bytes=32 time=5ms TTL=255
Reply from 192.168.1.1: bytes=32 time=1ms TTL=255
Reply from 192.168.1.1: bytes=32 time=3ms TTL=255
Reply from 192.168.1.1: bytes=32 time=3ms TTL=255
Ping statistics for 192.168.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 5ms, Average = 3ms
C:\Documents and Settings\Administrator>
-Ping from Server to ASA:
C:\Users\user>ping 192.168.2.1
Pinging 192.168.2.1 with 32 bytes of data:
Reply from 192.168.2.1: bytes=32 time=5ms TTL=255
Reply from 192.168.2.1: bytes=32 time=1ms TTL=255
Reply from 192.168.2.1: bytes=32 time=3ms TTL=255
Reply from 192.168.2.1: bytes=32 time=3ms TTL=255
Ping statistics for 192.168.2.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 5ms, Average = 3ms
C:\Users\user>
-Ping from Outside_Host to ASA:
C:\Documents and Settings\Administrator>ping 209.165.200.226
Pinging 209.165.200.226 with 32 bytes of data:
Reply from 209.165.200.226: bytes=32 time=18ms TTL=254
Reply from 209.165.200.226: bytes=32 time=17ms TTL=254
Reply from 209.165.200.226: bytes=32 time=13ms TTL=254
Reply from 209.165.200.226: bytes=32 time=17ms TTL=254
Ping statistics for 209.165.200.226:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 13ms, Maximum = 18ms, Average = 16ms
2-Other Pings:
-Ping from Inside_Host to Outside_Host:
C:\Documents and Settings\Administrator>ping 10.1.1.10
Pinging 10.1.1.10 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 10.1.1.10:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
-Ping From Server to Outside_Host:
C:\Users\user>ping 10.1.1.10
Pinging 10.1.1.10 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 10.1.1.10:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
The default MPF ((modular policy framework)of ASA does not allow icmp echo-replies back through the firewall on the outside interface. .
A fixup protocol icmp is a good way to fix it.It adds the stateful inspection feature for the ICMP protocol to the default-inspection-traffic class map referenced in the global_policy policy map.
ciscoasa(config)# fixup protocol icmp
INFO: converting 'fixup protocol icmp ' to MPF commands
Let's verify the policy:
it’s now added to the list
ciscoasa# sh run policy-map
!
policy-map global_policy
class inspection_default
inspect icmp
inspect icmp error
The ping works:
-Ping from Inside_Host to Outside_Host:
C:\Documents and Settings\Administrator>ping 10.1.1.10
Pinging 10.1.1.10 with 32 bytes of data:
Reply from 10.1.1.10: bytes=32 time=22ms TTL=127
Reply from 10.1.1.10: bytes=32 time=22ms TTL=127
Reply from 10.1.1.10: bytes=32 time=13ms TTL=127
Reply from 10.1.1.10: bytes=32 time=25ms TTL=127
Ping statistics for 10.1.1.10:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 13ms, Maximum = 25ms, Average = 20ms
-Ping From Server to Outside_Host:
C:\Users\user>ping 10.1.1.10
Pinging 10.1.1.10 with 32 bytes of data:
Reply from 10.1.1.10: bytes=32 time=16ms TTL=127
Reply from 10.1.1.10: bytes=32 time=22ms TTL=127
Reply from 10.1.1.10: bytes=32 time=22ms TTL=127
Reply from 10.1.1.10: bytes=32 time=18ms TTL=127
Ping statistics for 10.1.1.10:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 16ms, Maximum = 22ms, Average = 19ms
Nessun commento:
Posta un commento