[go: up one dir, main page]
Scribd
Upload
60 views8 pages

Configuring ASA 5506

The document outlines the configuration steps for an ASA 5506 firewall and Router1, including setting up interfaces, DHCP, NAT, and firewall policies. It details commands for configuring IP addresses, security levels, and enabling ICMP and HTTP inspection. The document concludes with verification steps for successful connectivity and DNS resolution from connected PCs.

Uploaded by

Luis Alberto Terrazas Guijarro
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
60 views8 pages

Configuring ASA 5506

The document outlines the configuration steps for an ASA 5506 firewall and Router1, including setting up interfaces, DHCP, NAT, and firewall policies. It details commands for configuring IP addresses, security levels, and enabling ICMP and HTTP inspection. The document concludes with verification steps for successful connectivity and DNS resolution from connected PCs.

Uploaded by

Luis Alberto Terrazas Guijarro
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 8

Configuring ASA 5506

PASOS
Configuring Router1:

# enable
# conf t
# hostname Router1.
# int G0/1
# ip address 8.8.8.1 255.255.255.0
# no shut
# int G0/0
# ip address 10.1.1.2 255.255.255.252
# no shut

Configure the ASA

# enable
# “enter” no password is configured yet
# conf t
# hostname ASA5506FW
configure a password of “TEC”
# enable password TEC
configure the domain name of tec.mx
# conf t
# domain-name tec.mx
configure a username of Admin and a password of “cisco”
# username Admin password cisco

NEXT:
check to see what has been pre-configured on the device by default.
# show run

We notice the following


The name of the interface “nameif= inside”
The security level of 100
And the private internal IP address of 192.168.1.1 /24
Also we notice the following on G1/2
The name of the interface “ nameif = outside”
Security level of 0
And the IP address DHCP

NEXT:
we will remove these configuration on the two interfaces.
On ASA5506:
# conf t
# int G1/1
# no ip address 192.168.1.1 255.255.255.0
# no nameif
# no security-level 100
# int G1/2
# no ip address dhcp
# no nameif
# no security-level 0

NEXT
I will verify that the ports are clear
# show run
On ASA5506:
# int G1/1
# ip address 10.1.1.1 255.255.255.252
# nameif outside
# security-level 0
# no shut
NEXT:
Time to configure the internal private network on the interface
Ma1/1
# int ma1/1
# ip address 192.168.1.1 255.255.255.0
# nameif inside
# security-level 100
# no shut

NEXT:
configure ASA5506 as DHCP server for the internal network
exI will set the pool of addresses
# dhcp address 192.168.1.5-192.168.1.35 inside
configure the DNS server
# dhcp dns 8.8.8.8
The default gateway
# dhcp option 3 ip 192.168.1.1
Next, I will activate the DHCP server and enable it for the inside
network
# dhcp enable inside
NEXT:
configure a default route for the internal private network so they
can reach the server on the internet.
On ASA5506:
# conf t
# route outside 0.0.0.0 0.0.0.0 10.1.1.2

NEXT:
Configure NAT on the ASA5506
Network Address Translation
NAT. Stands for "Network Address Translation." NAT translates the
IP addresses of computers in a local network to a single IP address.
This address is often used by the router that connects the
computers to the Internet.
Dynamic NAT (on ASA) Network Address Translation is used for
translation of private IP addresses into Public IP address while
accessing the internet . NAT generally operates on router or
firewall. In this type of NAT, multiple private IP address are mapped
to a pool of public IP address.
First, create a network object.
A network object can contain a host, a network IP address, a range
of IP addresses, or a fully qualified domain name (FQDN). You can
also enable NAT rules on the object
# object network INSIDE
This NAT is for the inside subnet, the private network
# subnet 192.168.1.0 255.255.255.0
Now, configure NAT
# nat (inside,outside) dynamic interface
The "ip nat outside source" means to inspect an outgoing packet
originated from an "inside" interface (configured as: ip nat inside)
towards an "outside" interface (configured as: ip nat outside) and
act accordingly.
# exit
Verify
# show nat
by pinging the server from PC-1.

On PC-A:

# ping 8.8.8.8 it should fail, because the ASA is blocking ICMP.


NEXT:
Configure the Firewall ASA5506 to permit ICMP
What is inspection in firewall?
Stateful inspection, also known as dynamic packet filtering, is
a firewall technology that monitors the state of active connections
and uses this information to determine which network packets to
allow through the firewall.
What is inspection in Cisco ASA?
When many people think of protocol inspection, they think of a
process that reads the data of a packet and inspects it for some
amount of wrongdoing. In reality, the packet inspection feature of
the Adaptive Security Appliance (ASA) is typically used to help make
the protocol work better.

Class Map and Policy Map Overview. ... Each class map defines a
traffic classification: network traffic that is of interest to you.
A policy map defines a series of actions (functions) that you want
applied to a set of classified inbound traffic.
On ASA5506:
# conf t
# class-map inspection_default
# match default-inspection-traffic
# exit
Next:
Time to set the policy map
# policy-map globac_policy
Specify the class we created
# class inspection_default
# inspect icmp
# exit
NEXT:
Enable the service policy
# service-policy global_policy global

NEXT:
Verify by pinging from PC-1 to the server
On PC-1:
# ping 8.8.8.8 it should be successful

Let us try to access the server via web browser from PC-2
On PC-2.
Web browser 8.8.8.8 this should time out
To allow accessing the server via web browser, We need to add
HTTP on the ASA5506
On ASA5506:
# conf t
# policy-map global_policy
# class inspection_default
# inspect http
run the show command
# show run
Notice the changes
Let us give it another try from PC-B.
On PC-2
# 8.8.8.8 it should be successful
Let us try from PC-A to ping the server by the name
www.ccna.com
On PC-1:
# ping www.ccna.com it should fail
I will add the DNS on the ASA5506 to be inspected, by creating a
policy map for the DNS.

DNS inspection is enabled by default, using the


preset_dns_map inspection class map:
 The maximum DNS message length is 512 bytes.
 The maximum client DNS message length is automatically set
to match the Resource Record.
On the ASA5506:
# conf t
# policy-map type inspect dns preset_dns_map
# parameters
# message-length maximum 512
# exit
# policy-map global_policy
# class inspection_default
# inspect dns preset_dna_map
# exit
I will verify the running configuration
# show run
Notice the policy map for the DNS inspection
NEXT,
I will try to ping the server again by name from PC-2
On PC-2:
# ping www.ccna.com it should be successful

FIN DEL DOCUMENTO.

You might also like