Documente Academic
Documente Profesional
Documente Cultură
Cisco ASA (Adaptive Security Appliance) is a security device that combines firewall, antivirus,
intrusion prevention, and virtual private network (VPN) capabilities. An ASA can be used as a
security solution for both small and large networks.
Interfaces have associated security levels It’s numeric value, ranging from 0 to 100, used by the
ASA to control traffic flow. Traffic is permitted from interfaces with higher security levels to
interfaces with lower security levels, but not the opposite. We use Access-lists to permit traffic
from lower security levels to higher security levels. The default security level for an outside
interface is 0. For an inside interface, the default security level is 100.If we need to publish
services to the internet the we would use another interface named DMZ (demilitarized zone) with
default security level of 50
In this example inside interface has IP address of 192.168.2.2 and outside 209.165.200.226.We’ll
configure ASA to alow ping from client1 to the internet,we’ll also configure NAT on ASA,so
when client access to the internet,from the outside perspective it would appear as if traffic comes
from ASA’s outside interface.
R1 configuration
See https://zarzyc.wordpress.com/2014/09/04/connecting-the-gns3-to-real-network-device/ for
connecting GNS3 router to the internet
R1(config)#int fa0/0
R1(config-if)#no shut
R1(config-if)#ip address dhcp
R1(config-if)#ip nat outside
R1(config-if)#int s1/0
R1(config-if)#ip address 10.1.1.2 255.255.255.0
R1(config-if)#no shut
R1(config-if)#ip nat inside
R1(config)#ip route 0.0.0.0 0.0.0.0 192.168.0.1 !DG for my laptop physical
NIC
R1(config)#router eigrp 20
R1(config-router)#network 10.1.1.0 0.0.0.255
R1(config-router)#no auto-summary
R1(config-router)#redistribute static !advertise route to the internet to
all EIGRP neighbors
R1(config)#access-list 3 permit 192.168.3.0 0.0.0.255 !network where client
resides
R1(config)#access-list 4 permit 209.165.200.0 0.0.0.255 !asa outside network
R1(config)#access-list 5 permit 192.168.2.0 0.0.0.255 !asa inside network
R1(config)#ip nat inside source list 3 interface FastEthernet0/0 overload
!nat rules
R1(config)#ip nat inside source list 4 interface FastEthernet0/0 overload
R1(config)#ip nat inside source list 5 interface FastEthernet0/0 overload
R2 config
interface Serial1/0
ip address 10.1.1.1 255.255.255.0
interface FastEthernet0/0
ip address 209.165.200.225 255.255.255.248
router eigrp 20
network 10.1.1.0 0.0.0.255
network 209.165.200.0
no auto-summary
ASA config
ciscoasa# config t
ciscoasa(config)# int g0
ciscoasa(config-if)# ip address 209.165.200.226 255.255.255.248
ciscoasa(config-if)# nameif outside
ciscoasa# config t
ciscoasa(config)# int g1
ciscoasa(config-if)# ip address 192.168.2.2 255.255.255.0
ciscoasa(config-if)# nameif inside
Alternativelly,we can use Modular Policy Framework (MPF) to enable ICMP traffic
A class map identifies traffic to which we want to apply actions (we created class map named
icm-traffic-we can set any name we want):
ciscoasa(config-cmap)# match ?
Associate actions with prevoiusly created class maps by creating a policy map named my-policy
and inspect icmp traffic
To summarize: