There are many different firewall options out there, but one of the most prevalent seems to be the Cisco ASA. This post is a basic configuration outline of the general setup of an ASA firewall that has basic connectivity, as well as dynamic and static NAT functions. While there are many different services an ASA can provide, this post centers on an ASA configuration running on the 8.x code version doing only basic functions. This particular setup is on a firewall in routed mode, that is used for NAT/PAT with only an inside and outside interface setup.
The first config settings to enter on an ASA, or most any other Cisco networking devices is the hostname of the device, domain name, and the enable password for logging into privileged exec mode.
config t hostname LabASA1 domain-name labasa1.yourdomain.com enable password Secret1
Next is the interface configuration for the ‘inside’ and ‘outside’ interfaces of the firewall. By default the security level of the outside interface of an ASA is set to ‘0’ meaning least secure, while the ‘inside’ interface is set to ‘100’, being most secure. The security levels of the interfaces coincides with the basic operation of the Cisco ASA, which by default allows traffic from a higher security zone to a lower security zone statefully.
config t interface ethernet 0/0 nameif outside security-level 0 ip address 10.1.1.2 255.255.255.0 interface ethernet 0/1 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0
For the purposes of this post, we will be using the 10.1.1.x subnet as a simulated ‘public’ IP range, and 192.168.1.x as a private IP range. The outside designation corresponds to the public internet side of an ASA firewall, while the inside designation is the connection point to the internal network.
The route outside command is the equivalent of a default quad zero route on a router. The route inside statement is a route that directs traffic destined to the particular private IP range to the inside interface.
config t route outside 0.0.0.0 0.0.0.0 10.1.1.1 1 route inside 192.168.0.0 255.255.0.0 192.168.1.2 1
To aid in troubleshooting, it’s always a good idea to enable logging, even if it’s only to the buffer
config t logging enable
After you setup your ASA, you’ll want to set it up to allow remote access using a local user account, as well as restrict access to the specific interfaces you setup for remote management.
The below commands, allow
ssh console access to the outside interface from 10.1.1.0/24, and
ssh access to the inside interface from 192.168.1.0/24.
SSH should only be allowed into your firewall from trusted source.
config t ssh 10.1.1.0 255.255.255.255 outside ssh 192.168.1.0 255.255.255.0 inside
The ASA also provides a GUI interface for managing the ASA called the ASDM. To enable the http server for the ASDM feature to work, issue the following command.
config t http server enable
The following commands are used to restrict
http/ASDM access to particular ranges coming into the ASA:
config t http 192.168.1.0 255.255.0.0 inside
Last, but not least. In order to have a login account to manage the ASA, you must create a local account and password on the ASA with
admin privileges. The ASA must also be told to use the local user database for ssh console access:
config t username administrator password Secret4admin encrypted privilege 15 aaa authentication ssh console LOCAL
Once you have basic IP connectivity, logging setup, and remote access hammered out, the next most basic function of a firewall is to provide NAT/PAT functions to the internally addressed hosts so they can access the internet.
The following statements are to set up dynamic NAT/PAT to the outside interface’s IP address:
config t global (outside) 1 interface nat (inside) 1 0.0.0.0 0.0.0.0
If there is a device on the internal network that require the same IP address each time it goes to the internet, a static mapping can be created to NAT a permanent public address to an internal host
config t static (inside,outside) 10.1.1.5 192.168.1.5 netmask 255.255.255.255
If that host, is a web server for example and needs to be access from the internet from a particular public IP address, you will have to create an access list that explicitly allows access from the internet to the public IP address of the server on that particular port.
Below the access list named ‘world’ allows HTTPS traffic to 10.1.1.5, and is applied using the access group command in global configuration mode.
config t access-list world extended permit tcp any host 10.1.1.5 eq https access-group world in interface outside
After entering the configuration above you now have an ASA that has IP addresses defined on interfaces with basic inside and outside security levels defined. Logging, and remote access setup, with an enable secret specified. You also have dynamic and static NAT functions as well as external access to privately addressed devices using NAT.
The last topic to cover in a basic firewall setup is the purpose of service policy, policy map, and class map on the ASA. The function of this is similar to policy based routing on a Cisco router. The Class map identifies traffic types, the policy map specifies what operation to perform on the classified traffic, and the service policy applies the operation and classification rules to a particular interface or globally on the device.
With an ASA the default policy map already has some core features setup out of the box. This list of traffic types tells the ASA to ‘inspect’ these traffic types as it traverses the firewall. The firewall uses this inspection to build a stateful table that ‘remembers’ the traffic that leaves from the inside to outside interfaces, so that it will allow the return path from the outside interface to re-enter the inside interface. Below is a config snippet of a generic policy map and associated commands for various apps that are enabled for inspection.
class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect ip-options inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp ! service-policy global_policy global
There are various options available for adding to the inspect fields of the policy map including
icmp and a host of other functions.
The steps covered in this post aid in the setup and briefly describe the basic functions that would be needed in an ASA firewall to provide NAT to an internal network. Look for future posts regarding the configuration and setup of other functions that can be configured on Cisco’s ASA firewalls.