Cisco ASA firewall basic initialization

From Notes_Wiki
Revision as of 07:50, 16 June 2023 by Saurabh (talk | contribs) (Created page with "Home > Enterprise security devices or applications > Cisco ASA firewall > Basic initialization Consider requirement as follows to initialize a ASA firewall: * DMZ IP of 192.168.11.1/24 for servers * WAN public IP 1.1.11.213/30 for Internet * LAN IP of 192.168.100.1/24 for LAN users * Additional 192.168.10.0 subnet for LAN accessible via L3 switch 192.168.100.2 * Outgoing internet access for LAN users from...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Home > Enterprise security devices or applications > Cisco ASA firewall > Basic initialization

Consider requirement as follows to initialize a ASA firewall:

  • DMZ IP of 192.168.11.1/24 for servers
  • WAN public IP 1.1.11.213/30 for Internet
  • LAN IP of 192.168.100.1/24 for LAN users
  • Additional 192.168.10.0 subnet for LAN accessible via L3 switch 192.168.100.2
  • Outgoing internet access for LAN users from both 192.168.10.0/24 and 192.168.100.0/24 subnets.

We can initialize ASA using

Configure hostname and enable password

Configure hostname and enable password via:

hostname ciscoasa
enable password <password>
username admin privilege 15 password <password>

Configure interfaces

Configure interfaces say 0/0-2 and static routes using:

interface GigabitEthernet0/0
 nameif dmz
 security-level 50
 ip address 192.168.11.1 255.255.254.0
!
interface GigabitEthernet0/1
 nameif outside
 security-level 0
 ip address 1.1.11.213 255.255.255.252
!
interface GigabitEthernet0/2
 nameif inside
 security-level 100
 ip address 192.168.100.1 255.255.255.0
!
route outside 0.0.0.0 0.0.0.0 1.1.11.214 1
route inside 192.168.10.0 255.255.254.0 192.168.100.2


Configure NAT for inside users and possibly DMZ using outside interface

nat (inside,outside) source dynamic any interface
nat (dmz,outside) source dynamic any interface

Even after above we cant access Internet from LAN (inside) machines as ASA is not session based. Hence we need to write separate rules to allow incoming traffic even if an outgoing packet for a particular connection / session has been allowed. Since this is basic setup for demo, we will allow all incoming using access-list as:

access-list outside_in extended permit ip any any
access-group outside_in in interface outside

This will lead to complete Internet access from inside.


Home > Enterprise security devices or applications > Cisco ASA firewall > Basic initialization