Cisco Archives

Cisco ASA 5520

Cisco ASA 5520 Features

Continuing our series of posts about the hardware and software features of ASA firewalls, this article focuses on the Cisco ASA 5520 model. This model is suitable as Internet Edge device for medium size enterprises but can be used also for internal LAN segmentation. From this model and up there are no Base License or Security Plus License options, like the 5505 and 5510 models. Also, the four integrated Network Interfaces by default support gigabit 10/100/1000 speed. There is an additional Management Interface which supports Fast Ethernet speed (10/100 Mbps). This Interface can be used as normal firewall interface by issuing the “no management-only” interface configuration command. So there are essentially five network interfaces integrated on the appliance.

In more detail, the Cisco ASA 5520 firewall features are the following: Read the rest of this entry

Cisco ASA 5510

Cisco ASA 5510 Features

Continuing our series of posts about the hardware and software features of ASA firewalls, this article focuses on the Cisco ASA 5510 model which is a very popular appliance for small to medium enterprises. Unlike the ASA 5505, this is a rack-mountable model (1U size) which supports also an add-on module (SSM – Security Services Module). Similarly with the 5505, the ASA 5510 comes also with two types of software licenses: Base License and Security Plus License, with the later offering advanced hardware and performance features.

In more detail, the Cisco ASA 5510 firewall features are the following: Read the rest of this entry

Cisco ASA 5505

Cisco ASA 5505 Features

In this post I’ll describe the software and hardware features of the Cisco ASA 5505 model. The ASA 5505 is the smallest model in the 5500 series and is suitable for small businesses or small branch offices and teleworkers. As it is a smaller size compared with the other models, it is not rack-mountable. It is the only model also that comes with an 8-port switch (with 2 power over Ethernet ports). The Cisco ASA 5505 ports are Layer 2 ports and not normal Layer 3 ports like the other models. To configure its Layer 2 ports you need to create VLANs and assign each port to a certain VLAN number. All interface parameters are configured under the “Interface VLAN [number]” command.

The Cisco ASA 5505 features depend on which software license is installed. There are two license options available: Base License and Security Plus License. The Security Plus license enables the Cisco ASA 5505 Appliance to support higher connection capacity and a higher number of IPsec VPN users, add full DMZ support, and integrate into switched network environments through VLAN trunking support. Moreover, the upgrade security plus license enables redundant ISP connections and stateless Active/Standby high-availability services.

In more detail, the Cisco ASA 5505 features are the following: Read the rest of this entry

Cisco Router with Cisco ASA for Internet Access

A classic network scenario for many enterprises is to have a Cisco border router for internet access and a Cisco ASA firewall behind this router for protection of the internal LAN or for building a DMZ network. This scenario is shown in the figure below:

Assume that our enterprise is assigned a public IP address range of 50.50.50.0/27 (that is a 32 address subnet). The usable addresses in this subnet range between 50.50.50.1 and 50.50.50.30. In our example we assign 50.50.50.1 to the outside interface of the Cisco router and 50.50.50.2 is the ISP gateway router. Also, we need to use address 50.50.50.3 for accessing a DMZ web server which has a real private address of 10.10.10.1.

Between the Cisco Router and the outside interface of the Cisco ASA we have a private subnet 10.0.0.0/24. Also, the inside internal LAN subnet is 192.168.1.0/24. The inside IP address of the ASA is 192.168.1.1.

Traffic Flow:

We need to achieve the following traffic flow:

1) All Internal LAN hosts (192.168.1.0) should be able to access the Internet (outbound communication). No access initiated from the Internet should be allowed towards the Internal LAN network.

2) Also, we need to allow access from the Internet towards our DMZ Web Server (inbound communication).

Implementation:

There are a few ways you can follow to achieve the functionality above. For sure we need to perform NAT on the border Cisco Router to translate our internal private addresses to public addresses assigned by our ISP. We have the option also to perform additional NAT on the ASA firewall, which however I wouldn’t recommend.

The way I would configure such a scenario is the following:

  • 1) For outbound communication (Internal LAN towards the Internet), do not translate the network 192.168.1.0/24 on the Cisco ASA. Rather create a static mapping of 192.168.1.0 to itself (will see this below) and configure NAT overload on the Cisco Router for the network 192.168.1.0/24.
  • 2) For inbound communication (Internet towards Web Server), create again a static mapping on the ASA for address 10.10.10.1 to itself, and perform static NAT on the Cisco Router to map 10.10.10.1 to 50.50.50.3

Configuration:

Below I will show you snapshots of the configuration for both the Cisco Router and the Cisco ASA that will achieve the functionality above.

Cisco ASA:

ciscoasa(config)# interface GigabitEthernet0/0
ciscoasa(config-if)# nameif outside
ciscoasa(config-if)# ip address 10.0.0.2 255.255.255.0
ciscoasa(config-if)# security-level 0
ciscoasa(config-if)# no shutdown

ciscoasa(config)# interface GigabitEthernet0/1
ciscoasa(config-if)# nameif inside
ciscoasa(config-if)# ip address 192.168.1.1 255.255.255.0
ciscoasa(config-if)# security-level 100
ciscoasa(config-if)# no shutdown

ciscoasa(config)# interface GigabitEthernet0/3
ciscoasa(config-if)# nameif DMZ
ciscoasa(config-if)# ip address 10.10.10.2 255.255.255.0
ciscoasa(config-if)# security-level 50
ciscoasa(config-if)# no shutdown

! Now create a static NAT mapping of 192.168.1.0 to itself
ciscoasa(config)# static (inside , outside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

! Create also a static NAT mapping of 10.10.10.1 Web Server to itself
ciscoasa(config)# static (DMZ , outside) 10.10.10.1 10.10.10.1 netmask 255.255.255.255

EDIT: NAT Commands For Cisco ASA version 8.3 and later:

object network web_server_static
 host 10.10.10.1
 nat (DMZ,outside) static 10.10.10.1

object network inside_mapped
 subnet 192.168.1.0 255.255.255.0

object network internal-lan
 subnet 192.168.1.0 255.255.255.0
 nat (inside,outside) static inside_mapped

 

! Create an access-list to allow Inbound traffic to Web server only
ciscoasa(config)# access-list OUTSIDE-IN extended permit tcp any host 10.10.10.1 eq 80
ciscoasa(config)# access-group OUTSIDE-IN in interface outside

ciscoasa(config)# route outside 0.0.0.0 0.0.0.0 10.0.0.1

Cisco Router:

interface ethernet 0
ip address 50.50.50.1 255.255.255.224
ip nat outside

!
interface ethernet 1
ip address 10.0.0.1 255.255.255.0
ip nat inside

!Assume the router uses address 50.50.50.4 for all outbound communication
ip nat pool IP-POOL 50.50.50.4 50.50.50.4 netmask 255.255.255.255
ip nat inside source list 1 pool IP-POOL overload
access-list 1 permit 192.168.1.0 0.0.0.255

!Configure Static NAT to map 10.10.10.1 to 50.50.50.3
ip nat inside source static 10.10.10.1 50.50.50.3

ip route 0.0.0.0 0.0.0.0 50.50.50.2
ip route 192.168.1.0 255.255.255.0 10.0.0.2
ip route 10.10.10.0 255.255.255.0 10.0.0.2

Access Control Lists (ACLs) and Network Address Translation (NAT) are two of the most common features that coexist in the configuration of a Cisco ASA appliance. For both inbound and outbound access control lists, the IP addresses specified in the ACL depend on the interface where the ACL is applied. These IP addresses must be valid on the specific interface that the ACL is attached, regardless of NAT. Keep the following statement in mind: An Access Control List takes precedence over NAT. That is, an ACL is evaluated FIRST and then a NAT rule is applied to the packet.

For example, assume an inside host with private address 10.1.1.10 is translated to a public address 200.200.200.10 for outbound traffic (inside to outside). An ACL applied to the inside interface of the ASA firewall will first be evaluated to verify if the host 10.1.1.10 can access the Internet (outbound communication) and if the ACL permits this communication, only then NAT will be performed to translate 10.1.1.10 to 200.200.200.10. This is shown in the figure below.

cisco asa nat and acl access list

See the following commands for the example above:

!The following ACL is evaluated first

ciscoasa(config)# access-list INSIDE extended permit ip host 10.1.1.10 host 100.100.100.1

ciscoasa(config)# access-group INSIDE in interface inside

!NAT can be applied only if ACL allows the communication

ciscoasa(config)# global (outside) 1 200.200.200.10 netmask 255.255.255.255

ciscoasa(config)# nat (inside) 1 0.0.0.0 0.0.0.0

[ad#embedded-square]

Similarly, a scenario with inbound traffic (outside to inside) works again the same way. That is, an ACL is evaluated first for inbound traffic and then a NAT translation rule is applied. For example, assume we have a Web Server located on the inside network (should be on a DMZ for better security but for the sake of simplicity we assume it is located on the inside network). The private address configured on the Web Server is 10.1.1.10. We configured also static NAT on the Firewall to map the private address of the Web Server to a public address 200.200.200.10 on the outside (see figure below). Inbound traffic coming from the Internet towards the public address of the Web Server will first go through an ACL to verify if the traffic is permitted or not. If traffic is allowed by the ACL, then the static NAT will be applied to translate the destination address from 200.200.200.10 to 10.1.1.10.

See the following commands for the example above:

!The following ACL is evaluated first

ciscoasa(config)# access-list OUTSIDE extended permit tcp any host 200.200.200.10 eq 80

ciscoasa(config)# access-group OUTSIDE in interface outside

! Static NAT can be applied only if ACL allows the communication

ciscoasa(config)# static (inside,outside) 200.200.200.10 10.1.1.10 netmask 255.255.255.255

UPDATE:

For Cisco ASA version 8.3 and later, the order of operation regarding ACL and NAT is still the same (i.e ACLs are evaluated first and then static NAT takes place), HOWEVER the ACL now must reference the real private IP of the server and NOT the public IP.

In our example above, for ASA 8.3 the ACL would look like below:

ciscoasa(config)# access-list OUTSIDE extended permit tcp any host 10.1.1.10 eq 80

 Page 9 of 16  « First  ... « 7  8  9  10  11 » ...  Last »