Cisco ASA Security Levels

ReneMolenaar · December 19, 2016, 4:08pm

This topic is to discuss the following lesson:

jorotz · July 1, 2015, 6:04pm

hi renee ;
I was trying to work on your toplogy above but for some reason I cant ping to otherside of ASA .interfaces are up and even applied this default command

ASA1(config)# policy-map global_policy
ASA1(config-pmap)# class inspection_default
ASA1(config-pmap-c)# inspect icmp

still doesnt work on my gns3 .do you have any idea about it ?

ReneMolenaar · July 1, 2015, 8:18pm

Hi Georgi,

What if you try something else that doesn’t require changing the policy-map? For example telnetting from one device in a high security level to something in a low security level?

Rene

jorotz · July 8, 2015, 6:31pm

telnet is working fine and I actually found 2 ways to allow ping in ASA
first one is ;

class-map global_policy
class-map icmp-class
 match default-inspection-traffic
class-map icmp
 match any
class-map inspection_default
!
!
policy-map icmp_policy
 class icmp
  inspect icmp 
!
service-policy icmp_policy global

and the second one is creating access list like this ;

access-list ICMP extended permit icmp any any
access-group ICMP interface global

both do the same job .

iniguezjuan · January 7, 2016, 9:37am

Rene,

Working on this Lab using ASA 5505 verison Cisco Adaptive Security Appliance Software Version 8.4(2)

I tried to replicate the lab above, but I can’t add an IP address to the actual interface I need to add them to a VLAN interface. How can I do that and have each zone on a different subnet ?Any advice/example would be greatly appreciated.

Regards,

Juan Iniguez

ReneMolenaar · January 7, 2016, 11:40am

Hi Juan,

The main difference between the 5505 and the 5510 or higher is that the 5505 has switchports and VLAN interfaces. The 5510 only has L3 interfaces.

Configuration is similar to a L3 switch, here’s an example for an INSIDE and OUTSIDE:

ASA(config)# interface vlan 100
 ASA(config-if)# nameif OUTSIDE
 ASA(config-if)# security-level 0
 ASA(config-if)# ip address 192.168.1.254 255.255.255.0
 ASA(config-if)# no shutdown

 ASA(config-if)# interface vlan 200
 ASA(config-if)# nameif INSIDE
 ASA(config-if)# security-level 100
 ASA(config-if)# ip address 192.168.2.254 255.255.255.0
 ASA(config-if)# no shutdown

 ASA(config)# interface ethernet 0/0
 ASA(config-if)# switchport access vlan 100
 ASA(config-if)# no shutdown

 ASA(config-if)# interface ethernet 0/1
 ASA(config-if)# switchport access vlan 200
 ASA(config-if)# no shutdown

The 5505 is the last ASA that uses these switchports and VLAN interfaces, the 5506 has 8x L3 interfaces.

Hope this helps!

Rene

iniguezjuan · January 8, 2016, 4:17am

Rene,

I guess my biggest issue is how can I ping from the inside zone to dmz or outside zone ? Since they are on different VLANS ?

ReneMolenaar · January 8, 2016, 12:44pm

Hi Juan,

The only thing you have to do is to make sure that devices on the inside use your ASA as the default gateway. Traffic on the outside should use your ASA as the destination when they want to reach the subnet of your inside or dmz, that’s it.

In this lesson:

https://networklessons.com/security/cisco-asa-security-levels/

I am using a router on the inside and outside, both are using the ASA as their default gateway.

Rene

Zaman.rubd · March 8, 2016, 12:34pm

Hi Rene,

I have tested(pinging) the topo with your configuration and got okk but when i try to ping the ASA interface ip(192.168.2.254 & 192.168.3.254) from insde host , its not pinging . Could you please little bit explain on it . Thanks

ReneMolenaar · March 8, 2016, 8:26pm

Hi Mohammad,

By design, the ASA doesn’t allow pinging an interface on the ASA from a host that is behind another interface. Like in your example, you won’t be able to ping the outside or DMZ interfaces from a inside host.

It’s the default behavior but I’m not sure why they designed it like this.

Rene

Zaman.rubd · March 9, 2016, 7:20am

What is the security level of DMZ and Outside ? I think it could be any value from 0 to 100.Please do clear on it .Thanks

br//
zaman

ReneMolenaar · March 10, 2016, 9:43pm

Hi Zaman,

The default security level of an interface will be 0. The only exception is “inside” which has security level 100 by default.

For the DMZ you can pick anything between 1-99, I personally like to pick 50 if I only need inside/outside and DMZ.

Rene

neuralping · April 20, 2016, 1:41pm

Rene

In the above diagram does the router in front of the ASA represent an on premise router or an ISP router?

I have Comcast connected to ASA 5505 then a 2821 router between the LAN and ASA 5505.

Should an on premise router be in front of the firewall? So the connection would be Comcast into 2821 then ASA 5505 between ASA 5505 and the LAN?

Thanks.

ReneMolenaar · April 20, 2016, 8:31pm

Hi Donald,

In this example, I only used the routers so that I would have some devices to ping with/to. I also could have used computers but routers are easier since you can access them through the CLI and you don’t have to worry about firewalls blocking ICMP traffic.

Sometimes, it can be useful to have a router in front of the ASA. As a firewall, the ASA does a great job at packet filtering / VPNs but it’s a poor router. If you want to use specific features (like policy based routing) then using a router in front of the ASA works very well. If you don’t need any router specific features, you might as well connect the ASA directly to your ISP.

Rene

neuralping · April 22, 2016, 12:37am

OK. Got it. Thanks

zahanison · May 16, 2016, 10:48am

Hi Rene,

To allow the DMZ traffic would you need to put an ACL on the inside interface allowing DMZ traffic or on the Inside interface allowing DMZ source to come in? Or do you need to put ACLs on both interfaces?

If DMZ is say 172.16.1.0/24 range and Inside is 192.168.1.0/24 range. Would you put ACL in DMZ interface allowing 172.16.1.0/24 access to 192.168.1.0/24 and then put the same ACL on inside as well?

ReneMolenaar · May 16, 2016, 4:20pm

Hi Zahan,

Traffic from a higher security level to a lower security level is no problem. DMZ traffic (50) is allowed to go to the outside (0) by default.

Traffic from the outside (0) to the DMZ (50) is prohibited so you’ll need an access-list to permit it.

Take a look at this example:

Cisco ASA Access-List

Rene

paco25 · June 4, 2016, 3:23am

Hi Rene,

I have a similar ? like one of the others, im using packet tracer and with the 5505…I cant create a DMZ, it lets me create all except when I try and create NAMEIF it gives me:

ciscoasa(config-if)#nameif dmz
ERROR: This license does not allow configuring more than 2 interfaces with nameif and without a &quot;no forward&quot; command on this interface or on 1 interface(s) with nameif already configured.

and the show ver - shows 3 vlans with DMZ restricted -

Licensed features for this platform:
Maximum Physical Interfaces       : 8              perpetual
VLANs                             : 3              DMZ Restricted
Dual ISPs                         : Disabled       perpetual

Please explain why. Thanks

ReneMolenaar · June 10, 2016, 4:35pm

Hi Marcus,

The base license only allows you to create 3 VLANs, but the DMZ is restricted. Here’s how it works:

Let’s say you have an INSIDE, OUTSIDE and DMZ interface. This means you can have traffic like this:

INSIDE <> OUTSIDE
INSIDE <> DMZ
DMZ <> OUTSIDE

The ASA 5505 base license doesn’t allow these three different traffic paths. You need to disable one of the traffic paths and I believe in one direction only. You can use the no forward command for this. For example, you could use this to disable traffic from INSIDE > DMZ, once you do this, you should be able to use all 3 interfaces.

It is a kinda lame restriction. The security plus license gets rid of this…

Rene

phommasannic · July 19, 2016, 9:29am

I follow all step but I can’t ping from inside to outside.

When I telnet from R1 to 192.168.2.2

R1(config)#do telnet 192.168.2.2
Trying 192.168.2.2 ... 
% Destination unreachable; gateway or host down

R1(config)#

Do I have to configure route on ASA?