A classic network scenario for many enterprises is to have a Cisco border router for internet access and a Cisco ASA firewall behind this router for protection of the internal LAN or for building a DMZ network. This scenario is shown in the figure below:

Assume that our enterprise is assigned a public IP address range of 50.50.50.0/27 (that is a 32 address subnet). The usable addresses in this subnet range between 50.50.50.1 and 50.50.50.30. In our example we assign 50.50.50.1 to the outside interface of the Cisco router and 50.50.50.2 is the ISP gateway router. Also, we need to use address 50.50.50.3 for accessing a DMZ web server which has a real private address of 10.10.10.1.
 
Between the Cisco Router and the outside interface of the Cisco ASA we have a private subnet 10.0.0.0/24. Also, the inside internal LAN subnet is 192.168.1.0/24. The inside IP address of the ASA is 192.168.1.1.

Traffic Flow:

We need to achieve the following traffic flow:

1) All Internal LAN hosts (192.168.1.0) should be able to access the Internet (outbound communication). No access initiated from the Internet should be allowed towards the Internal LAN network.

2) Also, we need to allow access from the Internet towards our DMZ Web Server (inbound communication).

Implementation:

There are a few ways you can follow to achieve the functionality above. For sure we need to perform NAT on the border Cisco Router to translate our internal private addresses to public addresses assigned by our ISP. We have the option also to perform additional NAT on the ASA firewall, which however I wouldn’t recommend.

The way I would configure such a scenario is the following:
 

• 1) For outbound communication (Internal LAN towards the Internet), do not translate the network 192.168.1.0/24 on the Cisco ASA. Rather create a static mapping of 192.168.1.0 to itself (will see this below) and configure NAT overload on the Cisco Router for the network 192.168.1.0/24.
• 2) For inbound communication (Internet towards Web Server), create again a static mapping on the ASA for address 10.10.10.1 to itself, and perform static NAT on the Cisco Router to map 10.10.10.1 to 50.50.50.3

Configuration:

Below I will show you snapshots of the configuration for both the Cisco Router and the Cisco ASA that will achieve the functionality above.

Cisco ASA:

ciscoasa(config)# interface GigabitEthernet0/0
ciscoasa(config-if)# nameif outside
ciscoasa(config-if)# ip address 10.0.0.2 255.255.255.0
ciscoasa(config-if)# security-level 0
ciscoasa(config-if)# no shutdown

ciscoasa(config)# interface GigabitEthernet0/1
ciscoasa(config-if)# nameif inside
ciscoasa(config-if)# ip address 192.168.1.1 255.255.255.0
ciscoasa(config-if)# security-level 100
ciscoasa(config-if)# no shutdown

ciscoasa(config)# interface GigabitEthernet0/3
ciscoasa(config-if)# nameif DMZ
ciscoasa(config-if)# ip address 10.10.10.2 255.255.255.0
ciscoasa(config-if)# security-level 50
ciscoasa(config-if)# no shutdown

! Now create a static NAT mapping of 192.168.1.0 to itself
ciscoasa(config)# static (inside , outside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

! Create also a static NAT mapping of 10.10.10.1 Web Server to itself
ciscoasa(config)# static (DMZ , outside) 10.10.10.1 10.10.10.1 netmask 255.255.255.255

! Create an access-list to allow Inbound traffic to Web server only
ciscoasa(config)# access-list OUTSIDE-IN extended permit tcp any host 10.10.10.1 eq 80
ciscoasa(config)# access-group OUTSIDE-IN in interface outside

ciscoasa(config)# route outside 0.0.0.0 0.0.0.0 10.0.0.1

Cisco Router:

interface ethernet 0
 ip address 50.50.50.1 255.255.255.224
 ip nat outside
!
interface ethernet 1
 ip address 10.0.0.1 255.255.255.0
 ip nat inside

!Assume the router uses address 50.50.50.4 for all outbound communication
ip nat pool IP-POOL 50.50.50.4 50.50.50.4 netmask 255.255.255.255
ip nat inside source list 1 pool IP-POOL overload
access-list 1 permit 192.168.1.0 0.0.0.255

!Configure Static NAT to map 10.10.10.1 to 50.50.50.3
ip nat inside source static 10.10.10.1 50.50.50.3

ip route 0.0.0.0 0.0.0.0 50.50.50.2
ip route 192.168.1.0 255.255.255.0 10.0.0.2
ip route 10.10.10.0 255.255.255.0 10.0.0.2

Access Control Lists (ACLs) and Network Address Translation (NAT) are two of the most common features that coexist in the configuration of a Cisco ASA appliance. For both inbound and outbound access control lists, the IP addresses specified in the ACL depend on the interface where the ACL is applied. These IP addresses must be valid on the specific interface that the ACL is attached, regardless of NAT. Keep the following statement in mind: An Access Control List takes precedence over NAT. That is, an ACL is evaluated FIRST and then a NAT rule is applied to the packet.

For example, assume an inside host with private address 10.1.1.10 is translated to a public address 200.200.200.10 for outbound traffic (inside to outside). An ACL applied to the inside interface of the ASA firewall will first be evaluated to verify if the host 10.1.1.10 can access the Internet (outbound communication) and if the ACL permits this communication, only then NAT will be performed to translate 10.1.1.10 to 200.200.200.10. This is shown in the figure below.

See the following commands for the example above:

!The following ACL is evaluated first

ciscoasa(config)# access-list INSIDE extended permit ip host 10.1.1.10 host 100.100.100.1

ciscoasa(config)# access-group INSIDE in interface inside

!NAT can be applied only if ACL allows the communication

ciscoasa(config)# global (outside) 1 200.200.200.10 netmask 255.255.255.255

ciscoasa(config)# nat (inside) 1 0.0.0.0 0.0.0.0

See the following commands for the example above:

!The following ACL is evaluated first

ciscoasa(config)# access-list OUTSIDE extended permit tcp any host 200.200.200.10 eq 80

ciscoasa(config)# access-group OUTSIDE in interface outside

! Static NAT can be applied only if ACL allows the communication

ciscoasa(config)# static (inside,outside) 200.200.200.10 10.1.1.10 netmask 255.255.255.255

UPDATE:

For Cisco ASA version 8.3 and later, the order of operation regarding ACL and NAT is still the same (i.e ACLs are evaluated first and then static NAT takes place), HOWEVER the ACL now must reference the real private IP of the server and NOT the public IP.

In our example above, for ASA 8.3 the ACL would look like below:

ciscoasa(config)# access-list OUTSIDE extended permit tcp any host 10.1.1.10 eq 80

Maybe the most popular and frequently used command on Cisco ASA firewalls is the one which shows the current running configuration, that is the “show run” command. However, maybe the most powerful command on Cisco ASA is the “show version” command. An example output of a show version command is shown below:

CISCO-ASA#  show version

Cisco Adaptive Security Appliance Software Version 7.2(3)
Device Manager Version 5.2(3)
Compiled on Wed 15-Aug-07 16:08 by builders
System image file is “disk0:/asa723-k8.bin”
Config file at boot was “startup-config”

CISCO-ASA up 25 mins 32 secs

Hardware:   ASA5505, 256 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0×0)
Boot microcode   : CNlite-MC-Boot-Cisco-1.2
SSL/IKE microcode: CNlite-MC-IPSEC-Admin-3.03
IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.04

0: Int: Internal-Data0/0    : address is 001e.4afa.2404, irq 11
1: Ext: Ethernet0/0         : address is 001e.4afa.23fc, irq 255
2: Ext: Ethernet0/1         : address is 001e.4afa.23fd, irq 255
3: Ext: Ethernet0/2         : address is 001e.4afa.23fe, irq 255
4: Ext: Ethernet0/3         : address is 001e.4afa.23ff, irq 255
5: Ext: Ethernet0/4         : address is 001e.4afa.2400, irq 255
6: Ext: Ethernet0/5         : address is 001e.4afa.2401, irq 255
7: Ext: Ethernet0/6         : address is 001e.4afa.2402, irq 255
8: Ext: Ethernet0/7         : address is 001e.4afa.2403, irq 255
9: Int: Internal-Data0/1    : address is 0000.0003.0002, irq 255
10: Int: Not used            : irq 255
11: Int: Not used            : irq 255

Licensed features for this platform:

Maximum Physical Interfaces : 8
VLANs                       : 3, DMZ Restricted
Inside Hosts                : 10
Failover                    : Disabled
VPN-DES                     : Enabled
VPN-3DES-AES                : Enabled
VPN Peers                   : 10
WebVPN Peers                : 2
Dual ISPs                   : Disabled
VLAN Trunk Ports            : 0

This platform has a Base license.

Serial Number: 1234567890
Running Activation Key: 123456781234567812345678

Configuration register is 0×1
Configuration last modified by enable_15 at 05:35:16.773 UTC Wed Apr 2 2008

Usefulness of show version command:

The power of the show version command comes from the wealth of useful information you can obtain from the output of this command. Use the show version command to display the following information:

• Appliance software version (in our example above it is 7.2(3)
• Software version of ASDM GUI software (in our example above it is 5.2(3)
• Where the appliance software image file is located (disk0:/asa723-k8.bin)
• Appliance up-time since last reboot (25 mins 32 secs)
• Appliance model, RAM memory and CPU type (ASA5505, 256 MB RAM, CPU Geode 500 MHz)
• Flash Memory (Internal ATA Compact Flash, 128MB)
• MAC Addresses of Ethernet Network Interfaces.
• Licensed features
• Serial Number (this can be used to order software upgrades)
• Running activation key
• Last time the configuration was modified.

With the new modular policy framework (MPF) introduced in ASA versions 7.x and 8.x, the firewall administrator is now able to apply policing and rate limiting to traffic passing through the ASA appliance. I got a few questions from people how this functionality works and decided to throw in a quick example below which you can easily modify accordingly to match your needs.

Scenario:

We want to rate limit a local internal host when accessing a specific external public server. The local host is 192.168.1.10 and the external public server is 100.100.100.1. We need to limit the traffic to 100kbps and burst size 8000.

Configuration Snippet:

ASA(config)#access-list rate-limit-acl extended permit ip host 192.168.1.10 host 100.100.100.1

ASA(config)#class-map rate-limit
ASA(config-cmap)#match access-list rate-limit-acl

ASA(config)#policy-map limit-policy
ASA(config-pmap)#class rate-limit
ASA(config-pmap-c)#police output 100000 8000

ASA(config)#service-policy limit-policy interface outside

In order to be able to monitor and troubleshoot your Cisco ASA firewall, you need to understand the difference between connections and translations.

Refer to the diagram above for an explanation about Connections and Translations.

A Connection works at the Transport Layer and includes the Source IP/Source Port and the Destination IP/Destination Port. Connections are subsets of Translations. You can have many connections open that are all using the same Translation. For example, a connection shown above is originated from Internal source host 192.168.1.1 with source port 1030 towards a Destination host (public Web Server) 100.100.100.1 on Destination Port 80.

A Translation works at the IP Layer and includes the Real IP Address and the Mapped (Translated) IP Address. Using NAT or PAT, a Real IP address is translated to a Mapped IP address and vice-versa. From the diagram above, the Real IP address 192.168.1.1 is translated to a Mapped IP address 20.20.20.1.

Connection Related Commands

ASA# show conn
ASA# show conn details
ASA# show local-host

The above commands will display the current active connections and information details about each connection. An example output is the following:

TCP outside:100.100.100.1/80 inside:192.168.1.1/1030 idle 0:00:05 bytes 1965 flags UIO

Translation Related Commands

ASA# show xlate
ASA# show xlate detail
ASA# clear xlate

The commands above enable you to display or clear the contents of the translation table. An example output is the following:

NAT from inside:192.168.1.1 to outside:20.20.20.1 flags i