CISCO ASA Firewall DMZ/2_inside ZONES configuration
With Cisco ASA firewalls, you can integrate multiple enterprise-class, next-generation network security services without sacrificing performance. Cisco ASA combines the most deployed stateful inspection firewall in the industry with next-generation firewall capabilities.
I have a lab with a small scenario using the ASA Firewall, that I will demonstrate. In this scenario I will introduce a Security Firewall with four security zones and the config scripts. Two internal zones will be implemented on one interface with vlans and subinterface connection to the switch. The routers inside those zone have routing disabled, so they are acting as hosts. The DMZ zone will host a web server, again a router with ip routing disabled that will simulate a WEB server. We will focus only on the ASA configuration. There will be some restrictions for the inside zones. One zone will be denied some traffic and the other will have full access to all the outside traffic.
Now, let us take a look at the diagram of this small scenario.
First we should define the interfaces and then other NAT/PAT configurations on the ASA firewall.
interface GigabitEthernet0/0
description CONNECTION TO OUTSIDE INTERNET
speed 100
duplex full
nameif outside
security-level 0
ip address 100.1.1.1 255.255.255.0
!
interface GigabitEthernet0/1 >> this interface will be used to subinterfaces for VLANs 10,20
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1.10
description CONNECTION TO INSIDE 1
vlan 10
nameif
inside1 security-level 80
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet0/1.20
description CONNECTION TO INSIDE 2
vlan 20
nameif inside2
security-level 90
ip address 192.168.2.1 255.255.255.0
!
interface GigabitEthernet0/2
description CONNECTION TO DMZ
nameif DMZ
security-level 50
ip address 10.0.0.1 255.255.255.0
Let us now define a object group for the interesanting ports.
object-group service WEB-PORTS tcp port-object eq 80 port-object eq 443
Now we should define the traffic to be NAT-ed and filtered. We use the access lists.
access-list OUTSIDE_IN extended permit tcp any host 100.1.1.2 object-group WEB-PORTS << Internet->webserver.
access-list INSIDE1_IN extended permit tcp 192.168.1.0 255.255.255.0 any eq http << Zone1 access to web and email
access-list INSIDE1_IN extended permit tcp 192.168.1.0 255.255.255.0 any eq https
access-list INSIDE1_IN extended permit tcp 192.168.1.0 255.255.255.0 any eq smtp
access-list INSIDE1_IN extended permit tcp 192.168.1.0 255.255.255.0 any eq pop3
access-list INSIDE1_IN extended permit udp 192.168.1.0 255.255.255.0 any eq dns
access-list INSIDE2_IN extended permit ip 192.168.2.0 255.255.255.0 any << allow all access ZONE2
As we have the traffic defined we can configur the Port Translation.
global (outside) 1 interface
global (DMZ) 1 interface
nat (inside1) 1 192.168.1.0 255.255.255.0
nat (inside2) 1 192.168.2.0 255.255.255.0
As we have the outside access to the DMZ servers, we should create a static NAT entries for them.
static (DMZ,outside) 100.1.1.2 10.0.0.2 netmask 255.255.255.255
Next thing is to apply the access lists to aproppriate interfaces inside the firewall.
access-group OUTSIDE_IN in interface outside
access-group INSIDE1_IN in interface inside1
access-group INSIDE2_IN in interface inside2
For the clients to have a understating for the global networks we must setup a default route.
route outside 0.0.0.0 0.0.0.0 100.1.1.10 1
The last config script we should implement on ASA is to enable managament from one of the zones.
ssh 192.168.1.0 255.255.255.0 inside1
ssh timeout 20
ssh version 2
That is all to it for now.
Feel free to comment.