21.7.6 Optional Lab – Configure ASA Network Services, Routing, and DMZ with ACLs Using CLI Answers

21.7.6 Optional Lab – Configure ASA Network Services, Routing, and DMZ with ACLs Using CLI Answers version

Topology

Topology

Objectives

• Part 1: Configure Basic Device Settings
• Part 2: Configure Routing, Address Translation, and Inspection Policy
• Part 3: Configure DHCP, AAA, and SSH
• Part 4: Configure the DMZ, Static NAT, and ACLs

Background / Scenario

The Cisco Adaptive Security Appliance (ASA) is an advanced network security device that integrates a stateful firewall, VPN, and FirePOWER services. This lab employs an ASA 5506-X to create a firewall and protect an internal corporate network from external intruders while allowing internal hosts access to the Internet. The ASA creates three security interfaces: OUTSIDE, INSIDE, and DMZ. It provides outside users limited access to the DMZ and no access to inside resources. Inside users can access the DMZ and outside resources.

The focus of this lab is to configure basic ASA as a basic firewall. Other devices will receive minimal configuration to support the ASA portion of this lab. This lab uses the ASA CLI, which is similar to the IOS CLI, to configure basic device and security settings.

In Part 1 of this lab, you will configure the topology and non-ASA devices. This part can be skipped if your topology is still configured from the previous lab, Configure ASA 5506-X Basic Settings and Firewall Using CLI. In Part 2, you will configure routing, NAT, and the firewall between the inside and outside networks. In Part 3, you will configure the ASA for additional services, such as DHCP, AAA, and SSH. In Part 4, you will configure a DMZ on the ASA and provide access to a server in the DMZ.

Note: The routers used with hands-on labs are Cisco 4221 with Cisco IOS XE Release 16.9.6 (universalk9 image). The switches used in the labs are Cisco Catalyst 2960+ with Cisco IOS Release 15.2(7) (lanbasek9 image). Other routers, switches, and Cisco IOS versions can be used. Depending on the model and Cisco IOS version, the commands available and the output produced might vary from what is shown in the labs. Refer to the Router Interface Summary Table at the end of the lab for the correct interface identifiers.

The ASA used with this lab is a Cisco model 5506-X with an 8-port integrated switch, running OS version 9.15(1), Adaptive Security Device Manager (ASDM) version 7.15(1).

Note: Before you begin, ensure that the devices have been erased and have no startup configurations.

Required Resources

• 1 Router (Cisco 4221 with Cisco XE Release 16.9.6 universal image or comparable with a Security Technology Package license)
• 3 Switches (Cisco 2960+ with Cisco IOS Release 15.2(7) lanbasek9 image or comparable)
• 3 PCs (Windows OS with a terminal emulation, such as PuTTY or Tera Term installed)
• 1 ASA 5506-X (OS version 9.15(1) and ASDM version 7.15(1) and Base license or comparable)
• Console cables to configure Cisco networking devices
• Ethernet cables as shown in the topology

Instructions

Part 1: Configure Basic Device Settings

In this part, you will set up the network topology and configure basic settings on the routers, such as interface IP addresses and static routing.

Note: If you proceeded directly to this lab from the previous lab and your configurations have not changed, you can proceed directly to Part 2.

Step 1: Cable the network and clear previous device settings.

Attach the devices that are shown in the topology diagram and cable as necessary. Make sure the router and ASA have been erased and have no startup configuration.

Note: To avoid using the switches, use a cross-over cable to connect the end devices

Step 2: Configure the ASA.

Use the following script to configure the ASA. This will return ASA to the state it was in at the end of the last lab.

a. Use the write erase command to remove the startup-config file from flash memory.

b. Use the reload command to restart the ASA.

c. Answer no to the following prompt

Pre-configure Firewall now through interactive prompts [yes]? No

User enable_1 logged in to ciscoasa
Logins over the last 1 days: 1.
Failed logins since the last login: 0.
Type help or '?' for a list of available commands.
ciscoasa> enable
The enable password is not set. Please set it now.
Enter Password: class
Repeat Password: class
Note: Save your configuration so that the password persists across reboots
("write memory" or "copy running-config startup-config").
ciscoasa# conf t
ciscoasa(config)#

***************************** NOTICE *****************************

Help to improve the ASA platform by enabling anonymous reporting,
which allows Cisco to securely receive minimal error and health
information from the device. To learn more about this feature,
please visit: http://www.cisco.com/go/smartcall

Would you like to enable anonymous error reporting to help improve
the product? [Y]es, [N]o, [A]sk later: no

In the future, if you would like to enable this feature,
issue the command "call-home reporting anonymous".

Please remember to save your configuration.

ciscoasa(config)#

d. Use the following script to configure the ASA.

ASA Script

hostname NETSEC-ASA
domain-name netsec.com
passwd cisco
!
interface GigabitEthernet1/1
nameif OUTSIDE
security-level 0
ip address 209.165.200.226 255.255.255.248
no shutdown
!
interface GigabitEthernet1/2
nameif INSIDE
security-level 100
ip address 192.168.1.1 255.255.255.0
no shutdown
!
domain-name netsec.com
!
http server enable
http 192.168.1.0 255.255.255.0 INSIDE
!
end
write mem

Step 3: Configure R1 and the end devices.

a. Use the following script to configure R1. No additional configuration for R1 will be required for this lab.

Note: R1 does not need any routing as all inbound packets from the ASA will have 209.165.200.226 as the source IP address.

R1 Script

enable
configure terminal
hostname R1
security passwords min-length 10
enable algorithm-type scrypt secret cisco12345
ip domain name netsec.com
username admin01 algorithm-type scrypt secret cisco12345
interface GigabitEthernet0/0/0
ip address 172.16.3.1 255.255.255.0
no shutdown
interface GigabitEthernet0/0/1
ip address 209.165.200.225 255.255.255.248
no shutdown
crypto key generate rsa general-keys modulus 1024
ip http server
line con 0
exec-timeout 5 0
logging synchronous
login local
line vty 0 4
exec-timeout 5 0
login local
transport input ssh
end
copy running start

b. Configure a static IP address, subnet mask, and default gateway for PC-A, PC-B, and PC-C as shown in the IP Addressing Table.

Step 4: Verify connectivity.

R1 should be able to ping the OUTSIDE interface for the ASA. PC-B should be able to ping the INSIDE interface for the ASA. If these pings are not successful, troubleshoot the basic device configurations before continuing. PC-A and PC-C will not be able to ping the ASA.

Part 2: Configure Routing, Address Translation, and Inspection Policy

In this part of this lab, you will provide a default route for the ASA to reach external networks. You will configure address translation using network objects to enhance firewall security. You will then modify the default application inspection policy to allow specific traffic.

Step 1: Configure a static default route for the ASA.

The ASA OUTSIDE interface is configured with a static IP address and subnet mask. However, the ASA does not have a gateway of last resort defined. To enable the ASA to reach external networks, you will configure a default static route on the ASA OUTSIDE interface.

Note: If the ASA OUTSIDE interface was configured as a DHCP client, it could obtain a default gateway IP address from the ISP. However, in this lab, the OUTSIDE interface is configured with a static address.

a. Ping from the ASA to R1 G0/0/1 at IP address 209.165.200.225.

Was the ping successful?

Yes, 209.165.200.224/248 is a directly connected network for both R1 and the ASA.

b. Ping from the ASA to R1 G0/0/0 at IP address 172.16.3.1.

Was the ping successful?

No, the ASA does not have a route to 10.1.1.0/30.

c. Create a “quad zero” default route using the route command, associate it with the ASA OUTSIDE interface, and point to the R1 G0/0/1 at IP address 209.165.200.225 as the gateway of last resort. The default administrative distance is one by default.

NETSEC-ASA(config)# route OUTSIDE 0.0.0.0 0.0.0.0 209.165.200.225

d. Issue the show route command to display the ASA routing table and the static default route you just created.

NETSEC-ASA(config)# show route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 209.165.200.225 to network 0.0.0.0

S*     0.0.0.0 0.0.0.0 [1/0] via 209.165.200.225, OUTSIDE
C      192.168.1.0 255.255.255.0 is directly connected, INSIDE
L      192.168.1.1 255.255.255.255 is directly connected, INSIDE
C      209.165.200.224 255.255.255.248 is directly connected, OUTSIDE
L      209.165.200.226 255.255.255.255 is directly connected, OUTSIDE

e. Ping from the ASA to R1 G0/0/0 IP address 172.16.3.1.

Was the ping successful?
Yes. The ASA now has a default route to unknown networks.

Step 2: Configure address translation using PAT and network objects.

Beginning with ASA version 8.3, network objects are used to configure all forms of NAT. A network object is created, and it is within this object that NAT is configured. In Step 2a, the network object INSIDE-NET is used to translate the inside network addresses (192.168.10.0/24) to the global address of the OUTSIDE ASA interface. This type of object configuration is called Auto-NAT.

a. Create the network object INSIDE-NET and assign attributes to it using the subnet and nat commands.

NETSEC-ASA(config)# object network INSIDE-NET
NETSEC-ASA(config-network-object)# subnet 192.168.1.0 255.255.255.0
NETSEC-ASA(config-network-object)# nat (INSIDE,OUTSIDE) dynamic interface
NETSEC-ASA(config-network-object)# end

b. The ASA splits the configuration into the object portion that defines the network to be translated and the actual nat command parameters. These appear in two different places in the running configuration. Display the NAT object configuration using the show run object and show run nat commands.

NETSEC-ASA# show run object
object network INSIDE-NET
 subnet 192.168.1.0 255.255.255.0
NETSEC-ASA# show run nat
!
object network INSIDE-NET
 nat (INSIDE,OUTSIDE) dynamic interface

c. From PC-B, attempt to ping the R1 G0/0/1 interface at IP address 209.165.200.225.

Were the pings successful? No.

d. Issue the show nat command on the ASA to see the translated and untranslated hits. Notice that, of the pings from PC-B, four were translated and four were not because ICMP is not being inspected by the global inspection policy. The outgoing pings (echoes) were translated, and the returning echo replies were blocked by the firewall policy. You will configure the default inspection policy to allow ICMP in the next step.

Note: Depending on the processes and daemons running on the particular computer used as PC-B, you may see more translated and untranslated hits than the four echo requests and echo replies.

NETSEC-ASA# show nat

Auto NAT Policies (Section 2)
1 (INSIDE) to (OUTSIDE) source dynamic INSIDE-NET interface
    translate_hits = 4, untranslate_hits = 4

e. Ping from PC-B to R1 again and quickly issue the show xlate command to see the addresses being translated. However, ICMP is denied, by default, be the firewall inspection policy

NETSEC-ASA# show xlate
1 in use, 1 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
       s - static, T - twice, N - net-to-net

ICMP PAT from INSIDE:192.168.1.3/1 to OUTSIDE:209.165.200.226/1 flags ri
idle 0:00:02 timeout 0:00:30

Note: The flags (r and i) indicate that the translation was based on a port map (r) and was done dynamically (i).

f. Open a browser on PC-B and enter the IP address of R1 G0/0/1 (https://209.165.200.225). The connection will fail, but you will see a secure connection error message. These means PC-B received a replay from R1.The connection was denied because PC-B does not have a certificate for a Secure Socket Layer (SSL) connection. However, TCP-based HTTP traffic was permitted to egress the OUTSIDE interface on the ASA, by default, by the firewall inspection policy.

g. On the ASA, reissue the show nat and show xlate commands to see the hits and addresses being translated for the HTTP connection.

NETSEC-ASA# show nat

Auto NAT Policies (Section 2)
1 (INSIDE) to (OUTSIDE) source dynamic INSIDE-NET interface
    translate_hits = 17, untranslate_hits = 4
NETSEC-ASA# show xlate
4 in use, 4 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
       s - static, T - twice, N - net-to-net

TCP PAT from INSIDE:192.168.1.3/49503 to OUTSIDE:209.165.200.226/49503 flags ri idle
0:01:24 timeout 0:00:30
TCP PAT from INSIDE:192.168.1.3/49502 to OUTSIDE:209.165.200.226/49502 flags ri idle
0:01:24 timeout 0:00:30
TCP PAT from INSIDE:192.168.1.3/49501 to OUTSIDE:209.165.200.226/49501 flags ri idle
0:01:25 timeout 0:00:30
TCP PAT from INSIDE:192.168.1.3/49500 to OUTSIDE:209.165.200.226/49500 flags ri idle
0:01:25 timeout 0:00:30
NETSEC-ASA#

Step 3: Modify the default MPF application inspection global service policy.

For application layer inspection, as well as other advanced options, the Cisco Modular Policy Framework (MPF) is available on ASAs. Cisco MPF uses three configuration objects to define modular, object-oriented, and hierarchical policies:

• Class maps – Define a match criterion.
• Policy maps – Associate actions to the match criteria.
• Service policies – Attach the policy map to an interface, or globally to all interfaces of the appliance.

a. Display the default MPF policy map that performs the inspection on inside-to-outside traffic. Only traffic that was initiated from the inside is allowed back in to the OUTSIDE interface. Notice that the ICMP protocol is missing.

NETSEC-ASA# show run | begin class
class-map inspection_default
 match default-inspection-traffic
! !
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
 policy-map global_policy
 class inspection_default
  inspect snmp
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
!
service-policy global_policy global
<output omitted>

b. Add the inspection of ICMP traffic to the policy map list using the following commands:

NETSEC-ASA# configure terminal
NETSEC-ASA(config)# policy-map global_policy
NETSEC-ASA(config-pmap)# class inspection_default
NETSEC-ASA(config-pmap-c)# inspect icmp

c. Display the default MPF polich map to verify ICMP is now listed in the inspection rules.

NETSEC-ASA(config-pmap-c)# show run policy-map
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
policy-map global_policy
 class inspection_default
  inspect snmp
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect icmp
!

d. From PC-B, attempt to ping the R1 G0/0 interface at IP address 209.165.200.225. The pings should be successful this time because ICMP traffic is now being inspected and legitimate return traffic is being allowed.

Part 3: Configure DHCP, AAA, and SSH

In this part, you will configure ASA features, such as DHCP and enhanced login security, using AAA and SSH.

Step 1: Configure the ASA as a DHCP server.

The ASA can be both a DHCP server and a DHCP client. In this step, you will configure the ASA as a DHCP server to dynamically assign IP addresses for DHCP clients on the inside network.

a. Configure a DHCP address pool and enable it on the ASA INSIDE interface. This is the range of addresses to be assigned to inside DHCP clients. Set the range from 192.168.1.5 through 192.168.1.100.

NETSEC-ASA(config-pmap-c)# exit
NETSEC-ASA(config-pmap)# exit
NETSEC-ASA(config)# dhcpd address 192.168.1.5-192.168.1.100 INSIDE

b. (Optional) Specify the IP address of the DNS server to be given to clients.

NETSEC-ASA(config)# dhcpd dns 209.165.201.2

Note: Other parameters can be specified for clients, such as WINS server, lease length, and domain name. By default, the ASA sets its own IP address as the DHCP default gateway, so there is no need to configure it. However, to manually configure the default gateway, or set it to a different networking device’s IP address, use the following command:

NETSEC-ASA(config)# dhcpd option 3 ip 192.168.1.1

c. Enable the DHCP daemon within the ASA to listen for DHCP client requests on the enabled interface (INSIDE).

NETSEC-ASA(config)# dhcpd enable INSIDE

d. Verify the DHCP daemon configuration by using the show run dhcpd command.

NETSEC-ASA(config)# show run dhcpd
dhcpd dns 209.165.201.2
dhcpd option 3 ip 192.168.1.1
!
dhcpd address 192.168.1.5-192.168.1.100 INSIDE
dhcpd enable INSIDE

e. Access the Network Connection IP Properties for PC-B, and change it from a static IP address to a DHCP client so that it obtains an IP address automatically from the ASA DHCP server. The procedure to do this varies depending on the PC operating system. It may be necessary to issue the ipconfig /renew command on PC-B to force it to obtain a new IP address from the ASA.

Verify that PC-B was assigned an IP address from 192.168.1.5 to 192.168.1.100, which will most likely be 192.168.1.5. PC-B should still be able to ping the G0/0/1 interface for R1 at 209.165.200.225.
Answers Notes: Configuring the ASA as a DHCP client (informational only).

These instructions are provided to configure the OUTSIDE interface as a DHCP client in the event the ASA needs to obtain its public IP address from an ISP. This is not performed as part of the lab. Optionally, you may wish to configure router R1 as a DHCP server to provide the necessary information to the ASA.

The following command configures the ASA OUTSIDE interface to receive its IP address information via a DHCP server and sets the default route using the default gateway parameter provided by the ISP DHCP server.

NETSEC-ASA(config)# interface g1/1

NETSEC-ASA(config-if)# ip address dhcp setroute

Step 2: Configure AAA to use the local database for authentication.

a. Define a local user named admin by entering the username command. Specify a password of cisco12345.

NETSEC-ASA(config)# username admin password cisco12345

b. Configure AAA to use the local ASA database for SSH user authentication.

NETSEC-ASA(config)# aaa authentication ssh console LOCAL

Note: For added security, starting with ASA version 8.4(2), configure AAA authentication to support SSH connections. The Telnet/SSH default login is not supported. You can no longer connect to the ASA using SSH with the default username and the login password.

Step 3: Configure SSH remote access to the ASA.

You can configure the ASA to accept SSH connections from a single host or a range of hosts on the inside or outside network.

a. Generate an RSA key pair, which is required to support SSH connections. The modulus (in bits) can be 512, 768, 1024, or 2048. The larger the key modulus size you specify, the longer it takes to generate an RSA. Specify a modulus of 2048 using the crypto key command.

NETSEC-ASA(config)# crypto key generate rsa modulus 2048
INFO: The name for the keys will be: <Default-RSA-Key>
Keypair generation process begin. Please wait...

Note: You may receive a message that a RSA key pair is already defined. To replace the RSA key pair enter yes at the prompt.

b. Save the RSA keys to persistent flash memory using the write mem command. Your “Cryptochecksum” values will be different

NETSEC-ASA(config)# write mem
Building configuration...
Cryptochecksum: 3c845d0f b6b8839a f9e43be0 33feb4ef
3270 bytes copied in 0.890 secs
[OK]

c. Configure the ASA to allow SSH connections from any host on the inside network (192.168.1.0/24) and from the remote management host at the branch office (172.16.3.3) on the outside network. Set the SSH timeout to 10 minutes (the default is 5 minutes).

NETSEC-ASA(config)# ssh 192.168.1.0 255.255.255.0 INSIDE
NETSEC-ASA(config)# ssh 172.16.3.3 255.255.255.255 OUTSIDE
NETSEC-ASA(config)# ssh timeout 10

d. On PC-C, use an SSH client (such as PuTTY) to connect to the ASA OUTSIDE interface at the IP address 209.165.200.226. The first time you connect you may be prompted by the SSH client to accept the RSA host key of the ASA SSH server. Log in as user admin and provide the password cisco12345.

e. You can also connect to the ASA INSIDE interface from a PC-B SSH client using the IP address 192.168.1.1.

Part 4: Configure DMZ, Static NAT, and ACLs

Previously, you configured address translation using PAT for the inside network. In this part of the lab, you will create a DMZ on the ASA, configure static NAT to a DMZ server, and apply ACLs to control access to the server.

To accommodate the addition of a DMZ and a web server, you will use another address from the ISP range assigned 209.165.200.224/29 (.224-.231). Router R1 G0/0 and the ASA OUTSIDE interface are already using 209.165.200.225 and .226. You will use the public address 209.165.200.227 and static NAT to provide address translation access to the server.

Step 1: Configure the DMZ interface G1/3 on the ASA.

a. Configure DMZ interface G1/3 which is on the LAN where the public access web server will reside. Assign the interface IP address 192.168.2.1/24, name it DMZ, assign it a security level of 70 and enable the interface.

NETSEC-ASA(config)# interface g1/3
NETSEC-ASA(config-if)# ip address 192.168.2.1 255.255.255.0
NETSEC-ASA(config-if)# nameif DMZ
INFO: Security level for "DMZ" set to 0 by default.
NETSEC-ASA(config-if)# security-level 70
NETSEC-ASA(config-if)# no shut
NETSEC-ASA(config-if)# end
NETSEC-ASA#

b. Display the status for all ASA interfaces using the show interface ip brief command.

NETSEC-ASA # show interface ip brief
Interface               IP-Address      OK? Method Status                Protocol
Virtual0                127.1.0.1       YES unset  up                    up
GigabitEthernet1/1      209.165.200.226 YES manual up                    up
GigabitEthernet1/2      192.168.1.1     YES manual up                    up
GigabitEthernet1/3      192.168.2.1     YES manual up                    up
GigabitEthernet1/4      unassigned      YES unset  administratively down down
GigabitEthernet1/5      unassigned      YES unset  administratively down down
GigabitEthernet1/6      unassigned      YES unset  administratively down down
GigabitEthernet1/7      unassigned      YES unset  administratively down down
GigabitEthernet1/8      unassigned      YES unset  administratively down down
Internal-Control1/1     unassigned      YES unset  down                  down
Internal-Data1/1        unassigned      YES unset  down                  down
Internal-Data1/2        unassigned      YES unset  down                  down
Internal-Data1/3        unassigned      YES unset  up                    up
Internal-Data1/4        169.254.1.1     YES unset  up                    up
Management1/1           unassigned      YES unset  administratively down down

c. Display the information for the interfaces using the show ip address command.

NETSEC-ASA # show ip address
System IP Addresses:
Interface           Name        IP address       Subnet mask     Method
GigabitEthernet1/1  OUTSIDE     209.165.200.226  255.255.255.248 manual
GigabitEthernet1/2  INSIDE      192.168.1.1      255.255.255.0   manual
GigabitEthernet1/3  DMZ         192.168.2.1      255.255.255.0   manual
Current IP Addresses:
Interface           Name        IP address       Subnet mask     Method
GigabitEthernet1/1  OUTSIDE     209.165.200.226  255.255.255.248 manual
GigabitEthernet1/2  INSIDE      192.168.1.1      255.255.255.0   manual
GigabitEthernet1/3  DMZ         192.168.2.1      255.255.255.0   manual

Step 2: Configure static NAT to the DMZ server using a network object.

Configure a network object named DMZ-SERVER and assign it the static IP address of the DMZ server (192.168.2.3). While in object definition mode, use the nat command to specify that this object is used to translate a DMZ address to an outside address using static NAT, and specify a public translated address of 209.165.200.227.

NETSEC-ASA# configure terminal
NETSEC-ASA(config)# object network DMZ-SERVER
NETSEC-ASA(config-network-object)# host 192.168.2.3
NETSEC-ASA(config-network-object)# nat (DMZ,OUTSIDE) static 209.165.200.227
NETSEC-ASA(config-network-object)# exit
NETSEC-ASA(config)#

Step 3: Configure an ACL to allow access to the DMZ server from the Internet.

Configure a named access list (OUTSIDE-DMZ) that permits any IP protocol from any external host to the internal IP address of the DMZ server. Apply the access list to the ASA OUTSIDE interface in the IN direction.

NETSEC-ASA(config)# access-list OUTSIDE-DMZ permit ip any host 192.168.2.3
NETSEC-ASA(config)# access-group OUTSIDE-DMZ in interface OUTSIDE

Note: Unlike IOS ACLs, the ASA ACL permit statement must permit access to the internal private DMZ address. External hosts access the server using its public static NAT address, the ASA translates it to the internal host IP address, and then applies the ACL.

You can modify this ACL to allow only services that you want to be exposed to external hosts, such as web (HTTP) or file transfer (FTP).

Step 4: Test access to the DMZ server.

a. Source a ping from the G0/0/0 interface on R1 (172.16.3.1) to the public IP address for the DMZ server. The pings should be successful.

R1# ping 209.165.200.227 source g0/0/0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 209.165.200.227, timeout is 2 seconds:
Packet sent with a source address of 172.16.3.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
R1#

b. Clear the NAT counters using the clear nat counters command.

NETSEC-ASA# clear nat counters

c. Ping from PC-C to the DMZ server at the public address 209.165.200.227. The pings should be successful.

d. Issue the show nat and show xlate commands on the ASA to see the effect of the pings. Both the PAT (INSIDE to OUTSIDE) and static NAT (DMZ to OUTSIDE) policies are shown.

NETSEC-ASA# show nat

Auto NAT Policies (Section 2)
1 (DMZ) to (OUTSIDE) source static DMZ-server 209.165.200.227
    translate_hits = 0, untranslate_hits = 4
2 (INSIDE) to (OUTSIDE) source dynamic INSIDE-NET interface
    translate_hits = 1, untranslate_hits = 3

Note: Pings from inside to outside are translated hits. Pings from outside host PC-C to the DMZ are considered untranslated hits.

NETSEC-ASA# show xlate
1 in use, 3 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
NAT from DMZ:192.168.2.3 to OUTSIDE:209.165.200.227
    flags s idle 0:22:58 timeout 0:00:00

Note: This time the flag is “s”, which indicates a static translation.

e. You can also access the DMZ server from a host on the inside network because the ASA INSIDE interface (G1/2) is set to a security level of 100 (the highest) and the DMZ interface (G1/3) is set to 70. The ASA acts like a router between the two networks. Ping the DMZ server (PC-A) internal address (192.168.2.3) from inside network host PC-B (192.168.1.X). The pings should be successful because of the interface security level and the fact that ICMP is being inspected on the INSIDE interface by the global inspection policy. The pings from PC-B to PC-A will not affect the NAT translation counts because both PC-B and PC-A are behind the firewall, and no translation takes place.

The DMZ server cannot ping PC-B on the inside network because the DMZ interface has a lower security level. Try to ping from the DMZ server PC-A to PC-B at IP address 192.168.1.3. The pings should not be successful.

Use the show run command to display the configuration for G1/3.

NETSEC-ASA# show run interface g1/3
!
interface g1/3
nameif DMZ
 security-level 70
 ip address 192.168.2.1 255.255.255.0

Note: An access list can be applied to the INSIDE interface to control the type of access to be permitted or denied to the DMZ server from inside hosts.

Reflection Questions

1. How does the configuration of the ASA firewall differ from that of an ISR?
There are more security features and default settings, such as interface security levels, built-in ACLs, and default inspection policies.

2. What does the ASA use to define address translation and what is the benefit?
Objects and groups allow the creation of modular structures and the configuration of attributes.

Router Interface Summary Table

Note: To find out how the router is configured, look at the interfaces to identify the type of router and how many interfaces the router has. There is no way to effectively list all the combinations of configurations for each router class. This table includes identifiers for the possible combinations of Ethernet and Serial interfaces in the device. The table does not include any other type of interface, even though a specific router may contain one. An example of this might be an ISDN BRI interface. The string in parenthesis is the legal abbreviation that can be used in Cisco IOS commands to represent the interface.

Device Configs (Final)

NETSEC-ASA (5506-X)

NETSEC-ASA# show run

: Saved

:

: Serial Number: JAD21140GC5

: Hardware:ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)

:

ASA Version 9.15(1)1

!

hostname NETSEC-ASA

domain-name netsec.com

enable password ***** pbkdf2

service-module 1 keepalive-timeout 4

service-module 1 keepalive-counter 6

service-module sfr keepalive-timeout 4

service-module sfr keepalive-counter 6

passwd ***** encrypted

names

no mac-address auto

!

interface GigabitEthernet1/1

nameif OUTSIDE

security-level 0

ip address 209.165.200.226 255.255.255.248

!

interface GigabitEthernet1/2

nameif INSIDE

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface GigabitEthernet1/3

nameif DMZ

security-level 70

ip address 192.168.2.1 255.255.255.0

!

interface GigabitEthernet1/4

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet1/5

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet1/6

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet1/7

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet1/8

shutdown

no nameif

no security-level

no ip address

!

interface Management1/1

management-only

shutdown

no nameif

no security-level

no ip address

!

ftp mode passive

dns server-group DefaultDNS

domain-name netsec.com

object network INSIDE-NET

subnet 192.168.1.0 255.255.255.0

object network DMZ-SERVER

host 192.168.2.3

access-list OUTSIDE-DMZ extended permit ip any host 192.168.2.3

pager lines 24

mtu OUTSIDE 1500

mtu INSIDE 1500

mtu DMZ 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

arp rate-limit 16384

!

object network INSIDE-NET

nat (INSIDE,OUTSIDE) dynamic interface

object network DMZ-SERVER

nat (DMZ,OUTSIDE) static 209.165.200.227

access-group OUTSIDE-DMZ in interface OUTSIDE

route OUTSIDE 0.0.0.0 0.0.0.0 209.165.200.225 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

timeout conn-holddown 0:00:15

timeout igp stale-route 0:01:10

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

aaa authentication login-history

http server enable

http 192.168.1.0 255.255.255.0 INSIDE

no snmp-server location

no snmp-server contact

service sw-reset-button

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet timeout 5

ssh stricthostkeycheck

ssh timeout 10

ssh version 2

ssh key-exchange group dh-group14-sha256

ssh 172.16.3.3 255.255.255.255 OUTSIDE

ssh 192.168.1.0 255.255.255.0 INSIDE

console timeout 0

dhcpd dns 209.165.201.2

dhcpd option 3 ip 192.168.1.1

!

dhcpd address 192.168.1.5-192.168.1.100 INSIDE

dhcpd enable INSIDE

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

dynamic-access-policy-record DfltAccessPolicy

username admin password ***** pbkdf2

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

no tcp-inspection

policy-map global_policy

class inspection_default

inspect snmp

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect ip-options

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect icmp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email [email protected]

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:4009e8dfe006364500a3a0f0e4b55bfb

: end

Router R1

R1# show run

Building configuration…

Current configuration : 1389 bytes

!

version 16.9

service timestamps debug datetime msec

service timestamps log datetime msec

platform qfp utilization monitor load 80

platform punt-keepalive disable-kernel-core

!

hostname R1

!

boot-start-marker

boot-end-marker

!

!

security passwords min-length 10

enable secret 5 $1$IqzA$Yleqbiia3ztmP6txGC0KF.

!

no aaa new-model

!

ip domain name netsec.com

!

login on-success log

!

subscriber templating

!

multilink bundle-name authenticated

!

license udi pid ISR4221/K9 sn FGL23313183

no license smart enable

diagnostic bootup level minimal

!

spanning-tree extend system-id

!

username admin01 secret 9 $9$m1jhnk3g.tkrzF$gyTaS7FYmyJ3cy87mr40Yel6rs/NTqefCbXziAurHxg

!

redundancy

mode none

!

interface GigabitEthernet0/0/0

ip address 172.16.3.1 255.255.255.0

negotiation auto

!

interface GigabitEthernet0/0/1

ip address 209.165.200.225 255.255.255.248

negotiation auto

!

ip forward-protocol nd

ip http server

ip http secure-server

!

control-plane

!

line con 0

exec-timeout 0 0

logging synchronous

login local

transport input none

stopbits 1

line aux 0

stopbits 1

line vty 0 4

exec-timeout 5 0

login local

transport input ssh

!

end

Switches S1, S2, and S3 – Use default configs