Configuring ASA on GNS3-allow ICMP traffic

Posted: July 31, 2015 in CISCO

4

Cisco ASA (Adaptive Security Appliance) is a security device that combines firewall, antivirus,
intrusion prevention, and virtual private network (VPN) capabilities. An ASA can be used as a
security solution for both small and large networks.

By default,ASA doesn’t allow ICMP from inside to outside interface.

Inside interface is connected to internal network,and outside interface to public network.

Interfaces have associated security levels It’s numeric value, ranging from 0 to 100, used by the
ASA to control traffic flow. Traffic is permitted from interfaces with higher security levels to
interfaces with lower security levels, but not the opposite. We use Access-lists to permit traffic
from lower security levels to higher security levels. The default security level for an outside
interface is 0. For an inside interface, the default security level is 100.If we need to publish
services to the internet the we would use another interface named DMZ (demilitarized zone) with
default security level of 50

In this example inside interface has IP address of 192.168.2.2 and outside 209.165.200.226.We’ll
configure ASA to alow ping from client1 to the internet,we’ll also configure NAT on ASA,so
when client access to the internet,from the outside perspective it would appear as if traffic comes
from ASA’s outside interface.

R1 configuration
See https://zarzyc.wordpress.com/2014/09/04/connecting-the-gns3-to-real-network-device/ for
connecting GNS3 router to the internet

R1(config)#int fa0/0
R1(config-if)#no shut
R1(config-if)#ip address dhcp
R1(config-if)#ip nat outside
R1(config-if)#int s1/0
R1(config-if)#ip address 10.1.1.2 255.255.255.0
R1(config-if)#no shut
R1(config-if)#ip nat inside
R1(config)#ip route 0.0.0.0 0.0.0.0 192.168.0.1 !DG for my laptop physical
NIC
R1(config)#router eigrp 20
R1(config-router)#network 10.1.1.0 0.0.0.255
R1(config-router)#no auto-summary
R1(config-router)#redistribute static !advertise route to the internet to
all EIGRP neighbors
R1(config)#access-list 3 permit 192.168.3.0 0.0.0.255 !network where client
resides
R1(config)#access-list 4 permit 209.165.200.0 0.0.0.255 !asa outside network
R1(config)#access-list 5 permit 192.168.2.0 0.0.0.255 !asa inside network
R1(config)#ip nat inside source list 3 interface FastEthernet0/0 overload
!nat rules
R1(config)#ip nat inside source list 4 interface FastEthernet0/0 overload
R1(config)#ip nat inside source list 5 interface FastEthernet0/0 overload

R2 config

interface Serial1/0
ip address 10.1.1.1 255.255.255.0
interface FastEthernet0/0
ip address 209.165.200.225 255.255.255.248
router eigrp 20
network 10.1.1.0 0.0.0.255
network 209.165.200.0
no auto-summary

ASA config

!interface to the internet

ciscoasa# config t
ciscoasa(config)# int g0
ciscoasa(config-if)# ip address 209.165.200.226 255.255.255.248
ciscoasa(config-if)# nameif outside

!interface to the inside network

ciscoasa# config t
ciscoasa(config)# int g1
ciscoasa(config-if)# ip address 192.168.2.2 255.255.255.0
ciscoasa(config-if)# nameif inside

!for asa,we must use real net mask,no wildcard mask

ciscoasa(config)# config t
ciscoasa(config)# router eigrp 20
ciscoasa(config-router)# network 209.165.200.0 255.255.255.0
ciscoasa(config-router)# network 192.168.2.0 255.255.255.0
ciscoasa(config-router)# no auto-summary
!create access lists to allow traffic from "inside" (192.168.3.0) to the
internet (any),unlike !CISCO router and switches,for ASA access lists we must
use real network masks

ciscoasa(config)#access-list 102 extended permit icmp 192.168.3.0

255.255.255.0 any echo
!echo reply comes from location we pinged (any) so we allowed ICMP reply from
internet !(any) to our internal-"inside" network (192.168.3.0):
ciscoasa(config)#access-list 102 extended permit icmp any 192.168.3.0
255.255.255.0 echo-reply
!apply this ACL to the traffic flowing from the inside network IN to the
outside interface
ciscoasa(config)#access-group 102 in interface outside

IN and OUT directions can be confusing :),for better understanding go to

http://www.virtxpert.com/ins-outs-of-cisco-asa-acls/

Alternativelly,we can use Modular Policy Framework (MPF) to enable ICMP traffic

A class map identifies traffic to which we want to apply actions (we created class map named
icm-traffic-we can set any name we want):

ciscoasa(config)# class-map icmp-traffic

Default class map is called default-inspection-traffic.The “default_inspection_traffic” is all

traffic that is predefined for various protocols,among them ICMP.

ciscoasa(config-cmap)# match ?

mpf-class-map mode commands/options:

access-list Match an Access List
any Match any packet
default-inspection-traffic Match default inspection traffic:
ctiqbe----tcp--2748 dns-------udp--53
ftp-------tcp--21 gtp-------udp--2123,3386
h323-h225-tcp--1720 h323-ras--udp--1718-1719
http------tcp--80 icmp------icmp
ils-------tcp--389 ip-options-----rsvp
mgcp------udp--2427,2727 netbios---udp--137-138
radius-acct----udp--1646 rpc-------udp--111
rsh-------tcp--514 rtsp------tcp--554
sip-------tcp--5060 sip-------udp--5060
skinny----tcp--2000 smtp------tcp--25
sqlnet----tcp--1521 tftp------udp--69
waas------tcp--1-65535 xdmcp-----udp--177
dscp Match IP DSCP (DiffServ CodePoints)
flow Flow based Policy
port Match TCP/UDP port(s)
precedence Match IP precedence
rtp Match RTP port numbers
tunnel-group Match a Tunnel Group

ciscoasa(config-cmap)# match default-inspection-traffic

ciscoasa(config-cmap)# exit

Associate actions with prevoiusly created class maps by creating a policy map named my-policy
and inspect icmp traffic

ciscoasa(config)# policy-map my-policy

ciscoasa(config-pmap)# class icmp-traffic
ciscoasa(config-pmap-c)# inspect icmp
ciscoasa(config-pmap-c)# inspect icmp error
ciscoasa(config-pmap-c)#exit
ciscoasa(config-pmap)#exit

Finally,assign policy map to outside interface

ciscoasa(config)# service-policy my-policy interface outside

To summarize:

class-map:identifies the traffic (icmp in our case,defined in default-inspection-traffic)

policy-map:action to take on traffic specified in class map (inspect icmp)

service-policy:where to apply actions specified in policy map (outside interface)

Enable icmp debugging on ASA:

ciscoasa# debug icmp trace

debug icmp trace enabled at level 1

Ping 8.8.8.8 from the client and observer debugging output:

On R1,see NAT table:

R1#sh ip nat translations

Pro Inside global Inside local Outside local Outside global
tcp 192.168.137.63:1202 192.168.3.10:1202 2.22.213.235:80 2.22.213.235:80

From the inside perspective,trafic is originated from the client

Configuring NAT in ASA firewall

Create object network for internal network (192.168.3.0) named mynetwork:

ciscoasa(config)# object network mynetwork

ciscoasa(config-network-object)# subnet 192.168.3.0 255.255.255.0
ciscoasa(config-network-object)# nat (inside,outside) dynamic interface

Creates a NAT rule for traffic sourced from devices

from the inside (192.168.3.0) to the outside,translate the source address of the inside networ and
substitute the source address of the outside interface of the ASA (209.165.200.226).Ping again
internet from client1 and observe nat translation table

Pro Inside global Inside local Outside local Outside global

icmp 192.168.137.63:10785 209.165.200.226:10785 8.8.8.8:10785 8.8.8.8:10785

Traffic from client1 (192.168.3.10) appears as if it’s from ASA server’s outside interface