This topic is to discuss the following lesson:
hi renee ;
I was trying to work on your toplogy above but for some reason I cant ping to otherside of ASA .interfaces are up and even applied this default command
ASA1(config)# policy-map global_policy ASA1(config-pmap)# class inspection_default ASA1(config-pmap-c)# inspect icmp
still doesnt work on my gns3 .do you have any idea about it ?
What if you try something else that doesn’t require changing the policy-map? For example telnetting from one device in a high security level to something in a low security level?
telnet is working fine and I actually found 2 ways to allow ping in ASA
first one is ;
class-map global_policy class-map icmp-class match default-inspection-traffic class-map icmp match any class-map inspection_default ! ! policy-map icmp_policy class icmp inspect icmp ! service-policy icmp_policy global
and the second one is creating access list like this ;
access-list ICMP extended permit icmp any any access-group ICMP interface global
both do the same job .
Working on this Lab using ASA 5505 verison Cisco Adaptive Security Appliance Software Version 8.4(2)
I tried to replicate the lab above, but I can’t add an IP address to the actual interface I need to add them to a VLAN interface. How can I do that and have each zone on a different subnet ?Any advice/example would be greatly appreciated.
The main difference between the 5505 and the 5510 or higher is that the 5505 has switchports and VLAN interfaces. The 5510 only has L3 interfaces.
Configuration is similar to a L3 switch, here’s an example for an INSIDE and OUTSIDE:
ASA(config)# interface vlan 100 ASA(config-if)# nameif OUTSIDE ASA(config-if)# security-level 0 ASA(config-if)# ip address 192.168.1.254 255.255.255.0 ASA(config-if)# no shutdown ASA(config-if)# interface vlan 200 ASA(config-if)# nameif INSIDE ASA(config-if)# security-level 100 ASA(config-if)# ip address 192.168.2.254 255.255.255.0 ASA(config-if)# no shutdown ASA(config)# interface ethernet 0/0 ASA(config-if)# switchport access vlan 100 ASA(config-if)# no shutdown ASA(config-if)# interface ethernet 0/1 ASA(config-if)# switchport access vlan 200 ASA(config-if)# no shutdown
The 5505 is the last ASA that uses these switchports and VLAN interfaces, the 5506 has 8x L3 interfaces.
Hope this helps!
I guess my biggest issue is how can I ping from the inside zone to dmz or outside zone ? Since they are on different VLANS ?
The only thing you have to do is to make sure that devices on the inside use your ASA as the default gateway. Traffic on the outside should use your ASA as the destination when they want to reach the subnet of your inside or dmz, that’s it.
In this lesson:
I am using a router on the inside and outside, both are using the ASA as their default gateway.
I have tested(pinging) the topo with your configuration and got okk but when i try to ping the ASA interface ip(192.168.2.254 & 192.168.3.254) from insde host , its not pinging . Could you please little bit explain on it . Thanks
By design, the ASA doesn’t allow pinging an interface on the ASA from a host that is behind another interface. Like in your example, you won’t be able to ping the outside or DMZ interfaces from a inside host.
It’s the default behavior but I’m not sure why they designed it like this.
What is the security level of DMZ and Outside ? I think it could be any value from 0 to 100.Please do clear on it .Thanks
The default security level of an interface will be 0. The only exception is “inside” which has security level 100 by default.
For the DMZ you can pick anything between 1-99, I personally like to pick 50 if I only need inside/outside and DMZ.
In the above diagram does the router in front of the ASA represent an on premise router or an ISP router?
I have Comcast connected to ASA 5505 then a 2821 router between the LAN and ASA 5505.
Should an on premise router be in front of the firewall? So the connection would be Comcast into 2821 then ASA 5505 between ASA 5505 and the LAN?
In this example, I only used the routers so that I would have some devices to ping with/to. I also could have used computers but routers are easier since you can access them through the CLI and you don’t have to worry about firewalls blocking ICMP traffic.
Sometimes, it can be useful to have a router in front of the ASA. As a firewall, the ASA does a great job at packet filtering / VPNs but it’s a poor router. If you want to use specific features (like policy based routing) then using a router in front of the ASA works very well. If you don’t need any router specific features, you might as well connect the ASA directly to your ISP.
OK. Got it. Thanks
To allow the DMZ traffic would you need to put an ACL on the inside interface allowing DMZ traffic or on the Inside interface allowing DMZ source to come in? Or do you need to put ACLs on both interfaces?
If DMZ is say 172.16.1.0/24 range and Inside is 192.168.1.0/24 range. Would you put ACL in DMZ interface allowing 172.16.1.0/24 access to 192.168.1.0/24 and then put the same ACL on inside as well?
Traffic from a higher security level to a lower security level is no problem. DMZ traffic (50) is allowed to go to the outside (0) by default.
Traffic from the outside (0) to the DMZ (50) is prohibited so you’ll need an access-list to permit it.
Take a look at this example:
I have a similar ? like one of the others, im using packet tracer and with the 5505…I cant create a DMZ, it lets me create all except when I try and create NAMEIF it gives me:
ciscoasa(config-if)#nameif dmz ERROR: This license does not allow configuring more than 2 interfaces with nameif and without a "no forward" command on this interface or on 1 interface(s) with nameif already configured.
and the show ver - shows 3 vlans with DMZ restricted -
Licensed features for this platform: Maximum Physical Interfaces : 8 perpetual VLANs : 3 DMZ Restricted Dual ISPs : Disabled perpetual
Please explain why. Thanks
The base license only allows you to create 3 VLANs, but the DMZ is restricted. Here’s how it works:
Let’s say you have an INSIDE, OUTSIDE and DMZ interface. This means you can have traffic like this:
INSIDE <> OUTSIDE
INSIDE <> DMZ
DMZ <> OUTSIDE
The ASA 5505 base license doesn’t allow these three different traffic paths. You need to disable one of the traffic paths and I believe in one direction only. You can use the no forward command for this. For example, you could use this to disable traffic from INSIDE > DMZ, once you do this, you should be able to use all 3 interfaces.
It is a kinda lame restriction. The security plus license gets rid of this…
I follow all step but I can’t ping from inside to outside.
When I telnet from R1 to 192.168.2.2
R1(config)#do telnet 192.168.2.2 Trying 192.168.2.2 ... % Destination unreachable; gateway or host down
Do I have to configure route on ASA?