Related posts in this blog:
- Cisco ASA 5500-X Series Software 9.x Configuration Notes (Tips and Tricks)
- Cisco ASA Remote Access VPN Configuration 2 - Anyconnect VPN Configuration
- Cisco ASA Remote Access VPN Configuration 1 - Clientless SSL VPN Configuration
- Cisco ASAv HA Configurations
1. Check System Version and Module:
ciscoasa(config)# sh ver
Cisco Adaptive Security Appliance Software Version 9.1(2) Device Manager Version 7.1(3) Compiled on Thu 09-May-13 16:20 PDT by builders System image file is "disk0:/asa912-smp-k8.bin" Config file at boot was "startup-config" ciscoasa up 7 days 18 hours Hardware: ASA5515, 8192 MB RAM, CPU Clarkdale 3059 MHz, 1 CPU (4 cores) ASA: 4096 MB RAM, 1 CPU (1 core) Internal ATA Compact Flash, 8192MB BIOS Flash MX25L6445E @ 0xffbb0000, 8192KB Encryption hardware device : Cisco ASA-55xx on-board accelerator (revision 0x1) Boot microcode : CNPx-MC-BOOT-2.00 SSL/IKE microcode : CNPx-MC-SSL-PLUS-T020 IPSec microcode : CNPx-MC-IPSEC-MAIN-0024 Number of accelerators: 1 Baseboard Management Controller (revision 0x1) Firmware Version: 2.4 0: Int: Internal-Data0/0 : address is 7426.acc8.e4df, irq 11 1: Ext: GigabitEthernet0/0 : address is 7426.acc8.e4e3, irq 10 2: Ext: GigabitEthernet0/1 : address is 7426.acc8.e4e0, irq 10 3: Ext: GigabitEthernet0/2 : address is 7426.acc8.e4e4, irq 5 4: Ext: GigabitEthernet0/3 : address is 7426.acc8.e4e1, irq 5 5: Ext: GigabitEthernet0/4 : address is 7426.acc8.e4e5, irq 10 6: Ext: GigabitEthernet0/5 : address is 7426.acc8.e4e2, irq 10 7: Int: Internal-Data0/1 : address is 0000.0001.0002, irq 0 8: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 0 9: Int: Internal-Data0/2 : address is 0000.0001.0003, irq 0 10: Ext: Management0/0 : address is 7426.acc8.e4df, irq 0 Licensed features for this platform: Maximum Physical Interfaces : Unlimited perpetual Maximum VLANs : 100 perpetual Inside Hosts : Unlimited perpetual Failover : Active/Active perpetual Encryption-DES : Enabled perpetual Encryption-3DES-AES : Enabled perpetual Security Contexts : 2 perpetual GTP/GPRS : Disabled perpetual AnyConnect Premium Peers : 2 perpetual AnyConnect Essentials : Disabled perpetual Other VPN Peers : 250 perpetual Total VPN Peers : 250 perpetual Shared License : Disabled perpetual AnyConnect for Mobile : Disabled perpetual AnyConnect for Cisco VPN Phone : Disabled perpetual Advanced Endpoint Assessment : Disabled perpetual UC Phone Proxy Sessions : 2 perpetual Total UC Proxy Sessions : 2 perpetual Botnet Traffic Filter : Disabled perpetual Intercompany Media Engine : Disabled perpetual IPS Module : Disabled perpetual Cluster : Disabled perpetual This platform has an ASA 5515 Security Plus license. Serial Number: FCH100871J Running Permanent Activation Key: 0xd516745 0x38b8dee 0x2533184 0xc09147c 0x001f093 Configuration register is 0x1 Configuration last modified by enable_15 at 07:55:47.355 UTC Wed Apr 16 2014 ciscoasa(config)# show module Mod Card Type Model Serial No. ---- -------------------------------------------- ------------------ ----------- 0 ASA 5515-X with SW, 6 GE Data, 1 GE Mgmt, AC ASA5515 FCH180871J ips Unknown N/A FCH180871J cxsc Unknown N/A FCH180871J Mod MAC Address Range Hw Version Fw Version Sw Version ---- --------------------------------- ------------ ------------ --------------- 0 7426.acc8.e4df to 7426.acc8.e4e6 1.0 2.1(9)8 9.1(2) ips 7426.acc8.e4dd to 7426.acc8.e4dd N/A N/A cxsc 7426.acc8.e4dd to 7426.acc8.e4dd N/A N/A Mod SSM Application Name Status SSM Application Version ---- ------------------------------ ---------------- -------------------------- ips Unknown No Image Present Not Applicable cxsc Unknown No Image Present Not Applicable Mod Status Data Plane Status Compatibility ---- ------------------ --------------------- ------------- 0 Up Sys Not Applicable ips Unresponsive Not Applicable cxsc Unresponsive Not Applicable Mod License Name License Status Time Remaining ---- -------------- --------------- --------------- ips IPS Module Disabled perpetual |
2. Set up ASDM Access
interface Management0/0
management-only nameif management security-level 100 ip address 10.94.200.31 255.255.255.0 no shutdown http server enable http 10.94.200.0 255.255.255.128 management ssh 10.94.200.0 255.255.255.128 management
Browse to webpage https://10.94.200.31/admin , then install ASDM launcher.
3. Set up SSH Access on Management Interface
ciscoasa(config)# username admin password admin
ciscoasa(config)# crypto key generate rsa modulus 2048 INFO: The name for the keys will be: <Default-RSA-Key> Keypair generation process begin. Please wait... ciscoasa(config)# write memory Building configuration... Cryptochecksum: 67435a18 4790aaff 7584afa7 d28c43c0 2837 bytes copied in 0.680 secs [OK] ciscoasa(config)# aaa authentication ssh console LOCAL WARNING: local database is empty! Use 'username' command to define local users. ciscoasa(config)# username test password test ciscoasa(config)# ssh 10.94.200.0 255.255.255.0 management |
4. Basic Setup and Examples
- nameif
- ciscoasa(config)# interface vlan1
ciscoasa(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default. - security-level
- ciscoasa(config-if)# interface vlan3
ciscoasa(config-if)# nameif dmz
ciscoasa(config-if)# security-level 50 - interface or vlan ip address
- ciscoasa(config-if)# interface vlan 1
ciscoasa(config-if)# ip address 192.168.106.1 - ciscoasa(config-if)# interface ethernet 0/1
ciscoasa(config-if)# switchport access vlan 1
ciscoasa(config-if)# no shutdown - Route
- ciscoasa(config-if)# route outside 0 0 1.1.1.1
- Test Configuration with Packet Tracer Feature
- Simulate a TCP packet coming in the inside interface from ip address 192.168.0.125 on source port 12345 destined to an ip address of 203.0.113.1 on port 80
- ciscoasa# packet-tracer input inside tcp 192.168.0.125 12345 203.0.113.1 8
- Simulate a TCP packet coming in the outside interface from ip address 192.0.2.123 on source port 12345 destined to an ip address of 198.51.100.101 on port 80
- ciscoasa# packet-tracer input outside tcp 192.0.2.123 12345 98.51.100.101 80
5. Transparent or Routed Firewall
Unicast IPv4 and IPv6 traffic is allowed through the transparent firewall automatically from a higher
security interface to a lower security interface, without an ACL.
Broadcast and multicast traffic can be passed using access rules.
The following destination MAC addresses are allowed through the transparent firewall. Any
MAC address not on this list is dropped.
• TRUE broadcast destination MAC address equal to FFFF.FFFF.FFFF
• IPv4 multicast MAC addresses from 0100.5E00.0000 to 0100.5EFE.FFFF
• IPv6 multicast MAC addresses from 3333.0000.0000 to 3333.FFFF.FFFF
• BPDU multicast address equal to 0100.0CCC.CCCD
• AppleTalk multicast MAC addresses from 0900.0700.0000 to 0900.07FF.FFFF
The transparent mode ASA does not pass CDP packets packets, or any packets that do not have a valid EtherType greater than or equal to 0x600. An exception is made for BPDUs and IS-IS, which are supported.
To prevent loops using the Spanning Tree Protocol, BPDUs are passed by default. To block BPDUs, you need to configure an EtherType ACL to deny them. If you are using failover, you might want to block BPDUs to prevent the switch port from going into a blocking state when the topology changes.
When the ASA runs in transparent mode, the outgoing interface of a packet is determined by performing a MAC address lookup instead of a route lookup. Route lookups, however, are necessary for the following traffic types:
• Traffic originating on the ASA
• Traffic that is at least one hop away from the ASA with NAT enabled
Voice over IP (VoIP) and DNS traffic with inspection enabled, and the endpoint is at least one hop
away from the ASA.
By default, all ARP packets are allowed through the ASA. You can control the flow of ARP packets by enabling ARP inspection.
Because the ASA is a firewall, if the destination MAC address of a packet is not in the table, the ASA
does not flood the original packet on all interfaces as a normal bridge does. Instead, it generates the
following packets for directly connected devices or for remote devices:
• Packets for directly connected devices—
• Packets for remote devices—
Transparent Mode Default Settings - The default mode is routed mode.
• By default, all ARP packets are allowed through the ASA.
• If you enable ARP inspection, the default setting is to flood non-matching packets.
• The default timeout value for dynamic MAC address table entries is 5 minutes.
• By default, each interface automatically learns the MAC addresses of entering traffic, and the ASA
adds corresponding entries to the MAC address table.
security interface to a lower security interface, without an ACL.
Broadcast and multicast traffic can be passed using access rules.
The following destination MAC addresses are allowed through the transparent firewall. Any
MAC address not on this list is dropped.
• TRUE broadcast destination MAC address equal to FFFF.FFFF.FFFF
• IPv4 multicast MAC addresses from 0100.5E00.0000 to 0100.5EFE.FFFF
• IPv6 multicast MAC addresses from 3333.0000.0000 to 3333.FFFF.FFFF
• BPDU multicast address equal to 0100.0CCC.CCCD
• AppleTalk multicast MAC addresses from 0900.0700.0000 to 0900.07FF.FFFF
The transparent mode ASA does not pass CDP packets packets, or any packets that do not have a valid EtherType greater than or equal to 0x600. An exception is made for BPDUs and IS-IS, which are supported.
To prevent loops using the Spanning Tree Protocol, BPDUs are passed by default. To block BPDUs, you need to configure an EtherType ACL to deny them. If you are using failover, you might want to block BPDUs to prevent the switch port from going into a blocking state when the topology changes.
When the ASA runs in transparent mode, the outgoing interface of a packet is determined by performing a MAC address lookup instead of a route lookup. Route lookups, however, are necessary for the following traffic types:
• Traffic originating on the ASA
• Traffic that is at least one hop away from the ASA with NAT enabled
Voice over IP (VoIP) and DNS traffic with inspection enabled, and the endpoint is at least one hop
away from the ASA.
By default, all ARP packets are allowed through the ASA. You can control the flow of ARP packets by enabling ARP inspection.
Because the ASA is a firewall, if the destination MAC address of a packet is not in the table, the ASA
does not flood the original packet on all interfaces as a normal bridge does. Instead, it generates the
following packets for directly connected devices or for remote devices:
• Packets for directly connected devices—
• Packets for remote devices—
Transparent Mode Default Settings - The default mode is routed mode.
• By default, all ARP packets are allowed through the ASA.
• If you enable ARP inspection, the default setting is to flood non-matching packets.
• The default timeout value for dynamic MAC address table entries is 5 minutes.
• By default, each interface automatically learns the MAC addresses of entering traffic, and the ASA
adds corresponding entries to the MAC address table.
6. Multiple Context Mode
ciscoasa(config)# mode multiple
WARNING: This command will change the behavior of the device WARNING: This command will initiate a Reboot Proceed with change mode? [confirm] Convert the system configuration? [confirm] !! The old running configuration file will be written to flash Converting the configuration - this may take several minutes for a large configuration The admin context configuration will be written to flash The new running configuration file was written to flash Security context mode: multiple *** *** --- SHUTDOWN NOW --- *** *** Message to all terminals: *** *** change mode ciscoasa/admin# show context detail Context "admin", has been created Config URL: disk0:/admin.cfg Interfaces: GigabitEthernet0/0, GigabitEthernet0/5, Management0/0 IPS Sensors: Class: default, Flags: 0x00000813, ID: 1 ciscoasa/admin# changeto system ciscoasa# show context Context Name Class Interfaces Mode URL *admin default GigabitEthernet0/0, Routed disk0:/admin.cfg GigabitEthernet0/5, Management0/0 Test default GigabitEthernet0/1 Routed disk0:/sample_context.cfg Total active Security Contexts: 2 ciscoasa(config-ctx)# show configuration : Saved : Written by enable_15 at 15:23:23.089 EDT Fri May 16 2014 ! ASA Version 9.1(2) <system> ! hostname ciscoasa enable password gszFpnIcgTCoPiuN encrypted no mac-address auto ! interface GigabitEthernet0/0 ! interface GigabitEthernet0/1 shutdown ! interface GigabitEthernet0/2 shutdown ! interface GigabitEthernet0/3 shutdown ! interface GigabitEthernet0/4 shutdown ! interface GigabitEthernet0/5 ! interface Management0/0 ! class default limit-resource All 0 limit-resource ASDM 5 limit-resource SSH 5 limit-resource Telnet 5 ! banner login banner login ' banner login You have logged in to a secure device. banner login If you are not authorized to access this banner login device, log out immediately or risk possible criminal consequences. banner motd boot system disk0:/asa912-smp-k8.bin ftp mode passive clock timezone EST -5 clock summer-time EDT recurring pager lines 24 no failover asdm image disk0:/asdm-713.bin no asdm history enable arp timeout 14400 no arp permit-nonconnected console timeout 0 admin-context admin context admin allocate-interface GigabitEthernet0/0 allocate-interface GigabitEthernet0/5 allocate-interface Management0/0 config-url disk0:/admin.cfg ! context Test description This is a context for test customer A allocate-interface GigabitEthernet0/1 interface1 allocate-interface GigabitEthernet0/2 config-url disk0:/sample_context.cfg ! username test password P4ttSyrm33SV8TYp encrypted prompt hostname context no call-home reporting anonymous Cryptochecksum:58e3ee4507ba1ced5b2adaa4f1b150f0 ciscoasa/admin(config)# changeto context Test ciscoasa/Test(config)# show configuration : Saved : Written by enable_15 at 15:30:24.969 EDT Fri May 16 2014 ! ASA Version 9.1(2) <context> ! hostname Test enable password 8Ry2YjIyt7RRXU24 encrypted names ! interface interface1 no nameif no security-level no ip address ! interface Management0/0 management-only no nameif no security-level no ip address ! pager lines 24 icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 user-identity default-domain LOCAL no snmp-server location no snmp-server contact crypto ipsec security-association pmtu-aging infinite telnet timeout 5 ssh timeout 5 ssh key-exchange group dh-group1-sha1 no threat-detection statistics tcp-intercept ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect ip-options inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp ! service-policy global_policy global Cryptochecksum:37989de030631be2f716051eca2f01c1 : end ciscoasa(config-ctx)# write memory all Building configuration... Saving context : system : (000/002 Contexts saved) Cryptochecksum: 6469133b e64dd3f3 5a634ba6 42d1495d 1684 bytes copied in 0.690 secs Saving context : admin : (001/002 Contexts saved) Cryptochecksum: 714e8aba f5ca6ed0 8508dbaf eba2f3cb 7649 bytes copied in 0.190 secs Saving context : Test : (002/002 Contexts saved) Cryptochecksum: 6124f114 b4910350 b1137692 0dfc32c1 1671 bytes copied in 0.80 secs [OK] |
7. Ping from ASA Internal Interface to outside
Note: 11.11.11.11 is local LAN interface, and 1.1.1.2 is another ASA's WAN Interface. The ping from local ASA LAN Interface to Outside is faild, because the ASA by default maintains a state table for TCP & UDP connections only. It’s not that the pings aren’t successful, its just the ASA does not allow the echo reply from an interface with a lower configured security-level. Solution will be in this post with using ASDM turn on your icmp inspect in your global policy.
ciscoasa(config)# packet-tracer input WAN icmp 11.11.11.11 8 0 1.1.1.2 detail
Phase: 1 Type: ROUTE-LOOKUP Subtype: input Result: ALLOW Config: Additional Information: in 1.1.1.0 255.255.255.0 WAN Phase: 2 Type: ACCESS-LIST Subtype: Result: DROP Config: Implicit Rule Additional Information: Forward Flow based lookup yields rule: in id=0xd98d6050, priority=111, domain=permit, deny=true hits=4, user_data=0x0, cs_id=0x0, flags=0x4000, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0 dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 input_ifc=WAN, output_ifc=WAN Result: input-interface: WAN input-status: up input-line-status: up output-interface: WAN output-status: up output-line-status: up Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule |
For the icmp traffic to ASA itself, the command is in the following:
ciscoasa(config)# sh run icmp
icmp unreachable rate-limit 1 burst-size 1 icmp permit any WAN icmp permit any LAN |
Note: If there is NAT enabled from Internal to External, you may need to add a access-list to allow icmp echo-reply packet in to external interface.
8. Enable Logging
ciscoasa(config)# logging enable
ciscoasa(config)# logging buffered 7 ciscoasa(config)# logging asdm informational asa842-1(config)# sh logging Syslog logging: enabled Facility: 20 Timestamp logging: disabled Standby logging: disabled Debug-trace logging: disabled Console logging: disabled Monitor logging: disabled Buffer logging: level debugging, 6 messages logged Trap logging: disabled Permit-hostdown logging: disabled History logging: disabled Device ID: disabled Mail logging: disabled ASDM logging: level informational, 23 messages logged %ASA-5-111008: User 'enable_15' executed the 'logging buffered 7' command. %ASA-5-111010: User 'enable_15', running 'CLI' from IP 0.0.0.0, executed 'logging buffered 7' %ASA-7-609001: Built local-host LAN:11.11.11.12 %ASA-7-609001: Built local-host WAN:22.22.22.23 %ASA-6-302020: Built outbound ICMP connection for faddr 22.22.22.23/0 gaddr 11.11.11.12/55300 laddr 11.11.11.12/55300 %ASA-6-302020: Built inbound ICMP connection for faddr 22.22.22.23/0 gaddr 11.11.11.12/55300 laddr 11.11.11.12/55300 |
9. NAT
- Dynamic nat (Global)
object network inside-subnet subnet 192.168.0.0 255.255.255.0 nat (inside,outside) dynamic interface
- Static nat with Objects
object network webserver-external-ip host 198.51.100.101 ! object network webserver host 192.168.1.100 nat (dmz,outside) static webserver-external-ip service tcp www www
There are now 2 types of NAT. Auto and Manual NAT.
- Auto NAT - Only the source is used as a match criteria when NAT`ing.
- Manual NAT - The source and destination is used as a match criteria when NAT`ing.
Auto NAT
Auto NAT only considers the source address when performing NAT. Based on this Auto NAT is only used for Static or Dynamic NAT.
When configuring Auto NAT is is configured within an object.
When configuring Auto NAT is is configured within an object.
Example
Below is an example of a static NAT.
asa(config)# object network obj-server
asa(config-network-object)# host 192.168.100.1 <-- REAL IP
asa(config-network-object)# nat (inside,outside) static 88.88.88.1 <-- MAPPED IP
asa(config-network-object)# host 192.168.100.1 <-- REAL IP
asa(config-network-object)# nat (inside,outside) static 88.88.88.1 <-- MAPPED IP
After configuring this NAT and looking at the configuration we can see the configuration in 2 places ; NAT and object.
asa# show run object
object network obj-server
host 192.168.100.1
asa# show run nat
object network obj-server
nat (inside,outside) static 88.88.88.1
object network obj-server
host 192.168.100.1
asa# show run nat
object network obj-server
nat (inside,outside) static 88.88.88.1
Manual NAT
Manual NAT considers either only the source or the source and destination address when performing NAT. Manual NAT can be used for (pretty much) all types of NAT i.e NAT exempt, policy NAT etc.
Because Manual NAT can also NAT the source and destination within a single statement it is also known as twice NAT.
Unlike Auto NAT which is configured within an object, Manual NAT is configured directly from the global configuration mode. However only objects are used within the Manual NAT rule rather then IP addresses directly.
Unlike Auto NAT which is configured within an object, Manual NAT is configured directly from the global configuration mode. However only objects are used within the Manual NAT rule rather then IP addresses directly.
Example
Below is an example of static NAT where only the source is considered for NAT. However this is typically done with Auto NAT.
object network obj-server-private
host 192.168.100.1
object network obj-server-public
host 88.88.88.88
nat (DMZ,outside) source static obj-server-private obj-server-public
host 192.168.100.1
object network obj-server-public
host 88.88.88.88
nat (DMZ,outside) source static obj-server-private obj-server-public
Below shows the syntax is we wanted to consider both the source and destination. This method (twice NAT) is also used for NAT exempt (click here for article)
nat (real_ifc,mapped_ifc) source static REAL-SRC MAPPED-SRC destination static REAL-DST MAPPED-DST
NAT Order
NAT is order within 3 sections.
- Section 1 – Manual NAT
- Section 2 – Auto NAT
- Section 3 – Manual Nat After-Auto
By default only sections 1 and 2 are used. However should you need to place a manual NAT rule after Auto NAT you can specify the keyword after-auto when configuring a Manual NAT rule to place it within Section 3.
nat (real,mapped) [after-auto] [Line#] .........
To view the order of precedence the "show nat" command is used.
10. Access Rules
Enable traffic between interfaces which are configured with same security level
Inbound and Outbound Rules
You can configure access rules based on the direction of traffic:
• Inbound—Inbound access rules apply to traffic as it enters an interface. Global and management access
rules are always inbound.
• Outbound—Outbound rules apply to traffic as it exits an interface.
“Inbound” and “outbound” refer to the application of an ACL on an interface, either to traffic entering the
ASA on an interface or traffic exiting the ASA on an interface. These terms do not refer to the movement of traffic from a lower security interface to a higher security interface, commonly known as inbound, or from a higher to lower interface, commonly known as outbound.
Note
An outbound ACL is useful, for example, if you want to allow only certain hosts on the inside networks to access a web server on the outside network. Rather than creating multiple inbound ACLs to restrict access,
- access-list (ACLs)
- Traffic going from a lower security interface is denied when going to a higher security interface
- Traffic going from a higher security interface is allowed when going to a lower security interface
- Examples 1:
access-list outside_acl extended permit tcp any object webserver eq www ! access-group outside_acl in interface outside
- Examples 2:
object network dns-server host 192.168.0.53 ! access-list dmz_acl extended permit udp any object dns-server eq domain access-list dmz_acl extended deny ip any object inside-subnet access-list dmz_acl extended permit ip any any ! access-group dmz_acl in interface dmz
11. Access Rules Examples
ASA Example Topology |
ciscoasa# sh run
: Saved : : Serial Number: 9ALU3EW6LDF : Hardware: ASAv, 1024 MB RAM, CPU Xeon 5500 series 2294 MHz : ASA Version 9.5(1)200 ! hostname ciscoasa enable password PVSASRJovmamnVkD encrypted xlate per-session deny tcp any4 any4 xlate per-session deny tcp any4 any6 xlate per-session deny tcp any6 any4 xlate per-session deny tcp any6 any6 xlate per-session deny udp any4 any4 eq domain xlate per-session deny udp any4 any6 eq domain xlate per-session deny udp any6 any4 eq domain xlate per-session deny udp any6 any6 eq domain names ! interface GigabitEthernet0/0 description Internal Interface nameif INTERNAL security-level 100 ip address 10.94.200.12 255.255.255.0 ! interface GigabitEthernet0/1 description DMZ Interface nameif DMZ security-level 100 ip address 172.17.3.12 255.255.255.0 ! interface GigabitEthernet0/2 shutdown no nameif no security-level no ip address !.... ! interface Management0/0 management-only nameif MGMT security-level 0 ip address 192.168.2.12 255.255.255.0 ! ftp mode passive same-security-traffic permit inter-interface object network H_172.17.3.62_DMZ host 172.17.3.62 description OpenWRT2 object network h_10.94.200.62_Internal host 10.94.200.62 description Internal OpenWRT1 object-group service DM_INLINE_SERVICE_1 service-object icmp service-object tcp destination eq ssh access-list DMZ_access_in extended permit icmp any any access-list INTERNAL_access_in extended permit object-group DM_INLINE_SERVICE_1 object h_10.94.200.62_Internal object H_172.17.3.62_DMZ pager lines 23 logging enable logging buffered debugging logging asdm informational mtu MGMT 1500 mtu INTERNAL 1500 mtu DMZ 1500 no failover icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 no arp permit-nonconnected access-group INTERNAL_access_in in interface INTERNAL access-group DMZ_access_in in interface DMZ timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 user-identity default-domain LOCAL aaa authentication ssh console LOCAL http server enable http 192.168.2.0 255.255.255.0 MGMT no snmp-server location no snmp-server contact crypto ipsec security-association pmtu-aging infinite crypto ca trustpoint _SmartCallHome_ServerCA no validation-usage crl configure crypto ca trustpool policy crypto ca certificate chain _SmartCallHome_ServerCA certificate ca 6ecc7aa5a7032009b8cebcf4e952d491 308205ec 308204d4 a0030201 0202106e cc7aa5a7 032009b8 cebcf4e9 52d49130 ......... 6119b5dd cdb50b26 058ec36e c4c875b8 46cfe218 065ea9ae a8819a47 16de0c28 6c2527b9 deb78458 c61f381e a4c4cb66 quit telnet timeout 5 ssh stricthostkeycheck ssh 192.168.2.0 255.255.255.0 MGMT ssh 10.94.200.0 255.255.255.0 INTERNAL ssh timeout 5 ssh key-exchange group dh-group1-sha1 console timeout 0 threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept dynamic-access-policy-record DfltAccessPolicy username admin password eY/fQXw7Ure8Qrz7 encrypted ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect ip-options inspect netbios inspect rtsp inspect sunrpc inspect tftp inspect xdmcp inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect esmtp inspect sqlnet inspect sip inspect skinny policy-map type inspect dns migrated_dns_map_1 parameters message-length maximum client auto message-length maximum 512 ! service-policy global_policy global prompt hostname context no call-home reporting anonymous call-home profile License destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService destination transport-method http profile CiscoTAC-1 no active destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address email callhome@cisco.com destination transport-method http subscribe-to-alert-group diagnostic subscribe-to-alert-group environment subscribe-to-alert-group inventory periodic monthly subscribe-to-alert-group configuration periodic monthly subscribe-to-alert-group telemetry periodic daily hpm topN enable Cryptochecksum:f0b9b7ac46de68d4f289d84909d1d497 : end |
12. Backup and Restore Configuration
Backup configuration to local disk.
ciscoasa# copy startup-config disk0:/backup-02202016
Destination filename [backup-02202016]? Copy in progress...C 7072 bytes copied in 0.10 secs ciscoasa# |
Restore Configuration
ciscoasa(config)# clear configure all
ciscoasa# copy disk0:/backup-02202016 startup-config |
13. ICMP/SSH/ASDM to another interface behind one interface
I met same issue as the post "Failed to locate egress interface...".
Topology:
Symptom:
IP Computer 1 is able to reach IP computer 2 , but not firewall ASA's IP inside2, even it is in same segment as IP Computer2.
Solution from the post:
"Cisco firewalls do not allow ICMP from behind one interface to another interface on the same device. The only exception to this is when traffic is coming through VPN and a specific configuration command has been entered to the device to which you are trying to ICMP from behind a VPN connection.
So if Computer 1 needs to ICMP Inside 2 then the firewall that has the Inside 2 interface must be configured with the command
management-access
"http server enable http 10.50.2.0 255.255.255.0 Mgmt http 172.17.0.0 255.255.255.0 MGMT ssh 10.50.2.0 255.255.255.0 MGMT ssh 172.17.0.0 255.255.255.0 MGMT management-access MGMT
No comments:
Post a Comment