Cisco Firewall ASA configuration case

Source: Internet
Author: User


Requirement: You can use the Cisco Firewall ASA to access servers in the Internet and DMZ through the Intranet. servers in DMZ can be published to the network for access by Internet users.
I. Use of Cisco simulated Firewall
Because we do not have real devices, we use a virtual system using the Linux kernel to simulate Cisco's firewall. The simulated firewall can be downloaded by ourselves, we also need to use a software to connect to the simulated firewall: nptp. ext.
First, we need to activate the asafireproof wall virtual machine and then install the nptp.exe software.
Open nptp and click "Edit" to create a new connection. The parameters are as follows:

Connect using a Connection Tool

Connection successful
Ii. IP Address Configuration
Internet IP configuration
Ciscoasa> enable
Ciscoasa # conf t
Ciscoasa (config) # int eth0/0
Ciscoasa (config-if) # ip add // Internet ip Address
Ciscoasa (config-if) # no shut
Ciscoasa (config-if) # nameif outside // external network name, must be configured

Intranet IP configuration
Ciscoasa (config-if) # int eth0/1
Ciscoasa (config-if) # ip add
Ciscoasa (config-if) # no shut
Ciscoasa (config-if) # nameif inside

Dmz ip configuration
Ciscoasa (config-if) # int eth0/2
Ciscoasa (config-if) # ip add
Ciscoasa (config-if) # no shut
Ciscoasa (config-if) # nameif dmz

View routes
Ciscoasa (config-if) # show route
C is directly connected, inside
C is directly connected, dmz
C is directly connected, outside

Note: The nameif name must be configured in the ASA firewall. If this name is not configured, the port cannot be started. Different names can have different priorities when configuring the name, intranet inside is a value that comes with the system. It can only be configured on the Intranet port, and its priority is 100, which is the highest level, while other priorities are 0, when a region with a higher priority accesses a region with a lower priority, snat can be directly used for communication, while a region with a lower priority accesses a region with a lower priority performs dnat at the same time, the access control list is also required.
3. access the Internet through the Intranet
Ciscoasa (config-if) # exit
Ciscoasa (config) # global (outside) 1 interface // specify the Internet interface used by snat as the port whose nameif is outside.
Ciscoasa (config) # nat (inside) 1 the Intranet CIDR Block
We use as the network segment of the Internet, but during the test, we cannot use the ping command for testing, because by default, the firewall rejects ping as an attack method. I now have an RDP server on for testing.

Test successful

4. Access the DMZ server through the Intranet
Based on the preceding settings, we only need to specify the dmz region by executing another command.
Ciscoasa (config) # global (dmz) 1 interface
Test the access to the www server in DMZ.

5. Server publishing in DMZ
RDP server released
Ciscoasa (config) # int eth0/2
Ciscoasa (config-if) # security-level 50 // modify the priority of the DMZ region to be greater than the outside region.

Ciscoasa (config) # static (dmz, outside) tcp interface 3389 3389 // create the dnat RDP service of dmz and outside
Ciscoasa (config) # access-list 100 permit tcp any host eq 3389 // create an access control list that allows Internet access to the outside Port
Ciscoasa (config) # access-group 100 in interface outside // apply the access control list on the outside Port

Www server Publishing
Ciscoasa (config) # static (dmz, outside) tcp interface www www
Ciscoasa (config) # access-list 100 permit tcp any host eq 80
Ciscoasa (config) # access-group 100 in interface outside

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.