Home > Others

Cisco ASA Firewall Deployment case

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

To view the current firewall's operating mode:


ciscoasa# Show Firewall

Firewall Mode:router


Configure the firewall to transparent mode:


Ciscoasa (config) # Firewall transparent


Configure the firewall for route mode:


Ciscoasa (config) # Firewall router


PS: After configuring the transparent firewall, the running configuration will be cleared, please note that save configuration to flash memory.



To configure a transparent firewall:


Ciscoasa (config) # Firewall transparent


ciscoasa# Show Firewall

Firewall mode:transparent


Configure zones and manage IP:


Ciscoasa (config) # interface Ethernet 0/0


Ciscoasa (config-if) # Nameif inside


Ciscoasa (config-if) # IP address 192.168.1.201 255.255.255.0


Ciscoasa (config-if) # no Shu


Ciscoasa (config) # interface Ethernet 0/1


Ciscoasa (config-if) # Nameif outside


Ciscoasa (config-if) # no Shu


Default route:


Ciscoasa (config) # route outside 0 0 10.1.1.2


Static routes:


Ciscoasa (config) # route inside 192.168.100.0 255.255.255.0 192.168.1.3


View MAC address get process status:


Ciscoasa (config) # show Mac-learn

Interface Mac Learn

-------------------------------------------

Inside enabled

Outside enabled

To view the MAC Address table:

Ciscoasa (config) # show mac-address-table inside

Interface MAC address type age (min)

------------------------------------------------------------------

Inside 0023.4ee0.7b6c Dynamic 5

Inside D0DF.9A02.B1AC Dynamic 5

Inside 0022.1961.760c Dynamic 5

Inside 0015.0065.8e00 Dynamic 5

Inside EC6C.9F02.26BA Dynamic 5


Set MAC address Expiration Time:


Ciscoasa (config) # mac-address-table Aging-time 10


To define a static MAC Address table entry for a common host:


Ciscoasa (config) # mac-address-table static inside 0023.4ee0.7b6c


The type of Mac in the MAC Address table:


Ciscoasa (config) # show mac-address-table

Interface MAC address type age (min)

------------------------------------------------------------------

Inside 0023.4ee0.7b6c Static


Disable MAC address acquisition on one interface:


Ciscoasa (config) # Mac-learn outside disable


Add static ARP table entries (never expire):


Ciscoasa (config) # arp inside 192.168.1.120 0023.4ee0.7b6c


Enable ARP Detection:


Ciscoasa (config) # arp-inspection inside Enable flood


Ciscoasa (config) # arp-inspection outside Enable No-flood


Displays the ARP detection status for each interface:


Ciscoasa (config) # show arp-inspection

Interface Arp-inspection Miss

----------------------------------------------------

Inside enabled Flood

Outside enabled No-flood


Configure interface access lists (no detection, bidirectional discharge bpdus, and IPX traffic):


Ciscoasa (config) # access-list access1 EtherType Permit BPDUs


Ciscoasa (config) # access-list Access1 EtherType Permit IPX


Ciscoasa (config) # Access-group Access1 in interface inside


Ciscoasa (config) # Access-group Access1 in interface outside


Configure an ACL to allow all IP protocols:


Ciscoasa (config) # access-list Access2 Permit any



Allow secure access between interfaces of the same level:


Ciscoasa (config) # same-security-traffic permit Inter-interface


Ciscoasa (config) # same-security-traffic permit Intra-interface



View the Xlate table for NAT connection information:


Ciscoasa (config) # show xlate

0 in use, 0 most used


Ciscoasa (config) # show Conn

0 in use, 1 most used



Static NAT Port mappings:


Ciscoasa (config) # static (inside,outside) 10.1.1.1 192.168.0.5 netmask 255.255.255.255 One-to-one host full mapping


Ciscoasa (config) # static (Inside,outside) interface 192.168.0.5 netmask 255.255.255.255 convert the external interface address to the internal host address 192.168.0.5


Ciscoasa (config) # static (inside,outside) tcp 10.1.1.1 www 192.168.0.5 www netmask 255.255.255.255 put the outer network port IP10.1.1.1 8 0 Port Access mapping to the 80 port of 192.168.0.5


Ciscoasa (config) # static (inside,outside) TCP 10.1.1.1 SMTP 192.168.0.10 SMTP netmask 255.255.255.255 the external gateway IP10.1.1. 1 of 25-port access mapped to the 25 port of 192.168.0.10



To put a mapped port on the external interface:


Ciscoasa (config) # access-list ACCESS1 permit tcp any host 10.1.1.1 eq www


Ciscoasa (config) # access-list ACCESS1 permit tcp Any host 10.1.1.1 eq SMTP


Ciscoasa (config) # Access-group Access1 in interface outside



Use an entry with ACL access control without NAT translation, Nat exemption:


Ciscoasa (config) # access-list access2 permit IP 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0


Ciscoasa (config) # access-list access2 permit IP 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0


Ciscoasa (config) # access-list access2 permit IP 192.168.0.0 255.255.255.0 192.168.3.0 255.255.255.0


Ciscoasa (config) # nat (inside) 0 access-list Access2


PS: When the host of the 192.168.0.0/24 network segment accesses the host of the 192.168.1.0/24, 192.168.2.0/24, and 192.168.3.0/24 segments, no NAT translation is performed.



Convert special ACL access control entries to a fixed IP10.1.1.1:


Ciscoasa (config) # access-list ACCESS3 permit IP 192.168.0.0 255.255.0.0 10.10.0.0 255.255.0.0

Ciscoasa (config) # static (inside,outside) 10.1.1.1 access-list ACCESS3 0 0



Pat Global conversion, the internal 192.168.0.0/16 host accesses any IP, and translates to the global IP of the outside interface:


Ciscoasa (config) # access-list access4 permit IP 192.168.0.0 255.255.0.0 any

Ciscoasa (config) # nat (inside) 1 access-list access4


Ciscoasa (config) # Global (outside) 1 interface


Info:outside interface address added to PAT pool



Dynamic NAT:


Ciscoasa (config) # access-list access4 permit IP 192.168.0.0 255.255.0.0 any

Ciscoasa (config) # nat (inside) 1 access-list access4


Ciscoasa (config) # Global (outside) 1 10.1.1.1-10.1.1.254 netmask 255.255.255.0



Only the allowed network segments are placed on the internal interface:


Ciscoasa (config) # access-list access0 permit IP 192.168.0.0 255.255.255.0 any


Ciscoasa (config) # access-list access1 permit IP 192.168.1.0 255.255.255.0 any


Ciscoasa (config) # access-list access1 deny IP any any


Ciscoasa (config) # Access-group Access0 in interface inside



To view the currently configured ACLs:


Ciscoasa (config) # show Running-config access-list

Access-list Access1 extended Permit TCP any host 10.1.1.1 eq www

Access-list Access1 extended Permit TCP any host 10.1.1.1 eq SMTP

Access-list access2 Extended Permit IP 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0

Access-list ACCESS3 Extended Permit IP 192.168.0.0 255.255.0.0 any



Ciscoasa (config) # show access-list

Access-list cached ACL Log flows:total 0, denied 0 (Deny-flow-max 4096)

Alert-interval 300

Access-list Access1; 2 elements

Access-list Access1 Line 1 Extended permit TCP any host 10.1.1.1 eq www


Accss-list Access1 Line 2 extended permit TCP any host 10.1.1.1 eq SMTP

Access-list Access2; 1 elements

Access-list Access2 Line 1 Extended permit IP 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0

Access-list ACCESS3; 1 elements


Access-list ACCESS3 Line 1 Extended permit IP 192.168.0.0 255.255.0.0 any



ACL Renaming:


Ciscoasa (config) # access-list access3 Rename Access_3



ACL Add Description:


Ciscoasa (config) # access-list ACCESS3 Remark Acl_3_nat


Ciscoasa (config) # access-list Access1 Line 2 remark Acl_smtp_permit



To remove an ACL:


Ciscoasa (config) # no access-list access1 extended permit IP any any



To define a network object group:


Ciscoasa (config) # Object-group network Accounting_addrs


Ciscoasa (config-network) # description List of Accounting Dept IP Addresses


Ciscoasa (config-network) # Network-object host 192.168.0.1


Ciscoasa (config-network) # Network-object host 192.168.0.2


Ciscoasa (config-network) # Network-object host 192.168.0.3


Ciscoasa (config-network) # Network-object 192.168.1.0 255.255.255.0


PS: The new host IP in the object group is automatically extended in the ACL being used.



References to network object groups:


Ciscoasa (config) # Object-group network Remotesite_addrs


Ciscoasa (config-network) # Group-object Accounting_addrs



To define a protocol object group:


Ciscoasa (config) # Object-group protocol Tunnel1_proto


Ciscoasa (config-protocol) # Description tunneling protocols


Ciscoasa (config-protocol) # Protocol-object Ipinip


Ciscoasa (config-protocol) # Protocol-object ESP


Ciscoasa (config-protocol) # Protocol-object AH


Ciscoasa (CONFIG-PROTOCOL) # Protocol-object GRE



Reference to the Protocol object group:


Ciscoasa (config) # Object-group protocol Group1_proto


Ciscoasa (config-protocol) # Group-object Tunnel1_proto



To define a base service object group:


Ciscoasa (config-protocol) # Object-group service Web_ports TCP


Ciscoasa (config-service) # Description TCP ports users by Web browsers


Ciscoasa (config-service) # port-object eq www


Ciscoasa (config-service) # port-object eq HTTPS


Ciscoasa (config-service) # Port-object range 8080 8088


Ciscoasa (config-service) # exit



References to base service object groups:


Ciscoasa (config) # Object-group service Example_ports TCP

Ciscoasa (config-service) # Group-object Web_ports



To define an enhanced service object group:


Ciscoasa (config-service) # Object-group Service test


Ciscoasa (config-service) # Description Test Service


Ciscoasa (config-service) # Service-object ICMP echo


Ciscoasa (config-service) # service-object ICMP echo-reply


Ciscoasa (config-service) # Service-object ESP


Ciscoasa (config-service) # service-object UDP eq ISAKMP


Ciscoasa (config-service) # Service-object UDP source 10000


Ciscoasa (config-service) # service-object TCP eq www


Ciscoasa (config-service) # exit


PS: Enhanced service object groups can be called only once by ACLs.



To use object groups in ACLs:


Ciscoasa (config) # access-list ACCESS5 Extended Permit TCP object-group Remotesite_addrs any object-group web_ports


Ciscoasa (config) # access-list ACCESS6 Extended permit Object-group test any host 192.168.0.100



To reset the ACL match counter:


Ciscoasa (config) # clear access-list access5 counters



Rogue Host Circumvention:


Ciscoasa (config) # Shun 172.21.4.8


To view connections:


Ciscoasa (config) # show Conn


View evasion:


Ciscoasa (config) # show Shun


To view the system log:


Ciscoasa (config) # show logging


To view evasion statistics:

Ciscoasa (config) # Show Shun statistics


To remove a specific evasion source address:


Ciscoasa (config) # no Shun 172.21.4.8


This article is from the "Operation and maintenance House (Q Group: 1991706)" blog, please be sure to keep this source http://304076020.blog.51cto.com/7503470/1563925

Cisco ASA Firewall Deployment case

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
cisco asa firewall models cisco asa firewall analyzer cisco asa 5520 firewall cisco asa firewall fundamentals cisco asa firewall price cisco asa firewall configuration cisco asa firewall training

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More