Cisco Firewall ASA configuration case

Source: Internet
Author: User

Topology


Requirement: You can use the Cisco Firewall ASA to access servers in the Internet and DMZ through the Intranet. servers in DMZ can be published to the network for access by Internet users.
I. Use of Cisco simulated Firewall
Because we do not have real devices, we use a virtual system using the Linux kernel to simulate Cisco's firewall. The simulated firewall can be downloaded by ourselves, we also need to use a software to connect to the simulated firewall: nptp. ext.
First, we need to activate the asafireproof wall virtual machine and then install the nptp.exe software.
Open nptp and click "Edit" to create a new connection. The parameters are as follows:


 
Connect using a Connection Tool



Connection successful
Ii. IP Address Configuration
Internet IP configuration
Ciscoasa> enable
Password:
Ciscoasa # conf t
Ciscoasa (config) # int eth0/0
Ciscoasa (config-if) # ip add 192.168.101.150 255.255.255.0 // Internet ip Address
Ciscoasa (config-if) # no shut
Ciscoasa (config-if) # nameif outside // external network name, must be configured

Intranet IP configuration
Ciscoasa (config-if) # int eth0/1
Ciscoasa (config-if) # ip add 192.168.1.1 255.255.255.0
Ciscoasa (config-if) # no shut
Ciscoasa (config-if) # nameif inside

Dmz ip configuration
Ciscoasa (config-if) # int eth0/2
Ciscoasa (config-if) # ip add 192.168.2.1 255.255.255.0
Ciscoasa (config-if) # no shut
Ciscoasa (config-if) # nameif dmz

View routes
Ciscoasa (config-if) # show route
C 192.168.1.0 255.255.255.0 is directly connected, inside
C 192.168.2.0 255.255.255.0 is directly connected, dmz
C 192.168.101.0 255.255.255.0 is directly connected, outside

Note: The nameif name must be configured in the ASA firewall. If this name is not configured, the port cannot be started. Different names can have different priorities when configuring the name, intranet inside is a value that comes with the system. It can only be configured on the Intranet port, and its priority is 100, which is the highest level, while other priorities are 0, when a region with a higher priority accesses a region with a lower priority, snat can be directly used for communication, while a region with a lower priority accesses a region with a lower priority performs dnat at the same time, the access control list is also required.
3. access the Internet through the Intranet
Ciscoasa (config-if) # exit
Ciscoasa (config) # global (outside) 1 interface // specify the Internet interface used by snat as the port whose nameif is outside.
Ciscoasa (config) # nat (inside) 1 192.168.1.0 255.255.255.0/Specify the Intranet CIDR Block
Test
We use 192.168.101.0 as the network segment of the Internet, but during the test, we cannot use the ping command for testing, because by default, the firewall rejects ping as an attack method. I now have an RDP server on 192.168.101.105 for testing.





Test successful

4. Access the DMZ server through the Intranet
Based on the preceding settings, we only need to specify the dmz region by executing another command.
Ciscoasa (config) # global (dmz) 1 interface
Test the access to the www server in DMZ.



5. Server publishing in DMZ
RDP server released
Ciscoasa (config) # int eth0/2
Ciscoasa (config-if) # security-level 50 // modify the priority of the DMZ region to be greater than the outside region.

Ciscoasa (config) # static (dmz, outside) tcp interface 3389 192.168.2.2 3389 // create the dnat RDP service of dmz and outside
Ciscoasa (config) # access-list 100 permit tcp any host 192.168.101.150 eq 3389 // create an access control list that allows Internet access to the outside Port
Ciscoasa (config) # access-group 100 in interface outside // apply the access control list on the outside Port
 
Test


Www server Publishing
Ciscoasa (config) # static (dmz, outside) tcp interface www 192.168.2.2 www
Ciscoasa (config) # access-list 100 permit tcp any host 192.168.101.150 eq 80
Ciscoasa (config) # access-group 100 in interface outside
Test

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.