Cisco Labs – Network Security (14) – ASA as transparent firewall


Introduction

During my university studies I was doing a diploma thesis in field of Redundant and reliable networking. The purpose of itwas to create LAB examples for students, so they can test Basic settings for VPN, IPS and others. These tasks are created to Virtlab (Virtual lab with physical Cisco routers) however configuration is valid and tested on physical Cisco routers as well.

Each task in the series will have its separate post with brief description of the task and schema. Complete task can be downloaded on My Onedrive

NS2 – Modul2 8.3.3 ASA task definition

ASA as transparent firewall

Goal

  • Configure ASA as transparent firewall.
  • Generate a test message thru HTTP, FTP and ICMP.
  • Apply access list and recheck configuration.
  • Do not forget to clear configuration before start.

Required time

2 hours

Theoretical background

Here will be short theoretical background for solving this task.

Topology

NS2-8.3.3_ASA_topology1_VIRTLAB

Configuration

PC1

ifconfig int3 10.0.0.2 netmask 255.255.255.0							;set IP address
route add default gw 10.0.0.1 dev int3								;set default gw

SERVER

R19@ostrava(config)#hostname SERVER
SERVER(config)#interface INT4
SERVER(config-if)#ip address 10.0.0.254 255.255.255.0
SERVER(config-if)#no shutdown
SERVER(config)#aaa new-model									;define authentication policy
SERVER(config)#aaa authentication login telnet local  						;authenticate locally
SERVER(config)#username cisco password cisco							;authenticate by this username and password                
SERVER(config)#enable password cisco								;set enable password for privileged mode
SERVER(config)#ip http server									;enable HTTP server
SERVER(config)#ftp-server enable								;enable FTP server
SERVER(config)#ftp-server topdir FLASH:/							;set top directory for FTP server
SERVER(config)#line vty 0 4									;enable tenlnet connections

ASA

1) Firewall settings

ciscoasa(config)# hostname ASA1
ASA1(config)# firewall transparent                          					;set up firewall in transparent mode
ASA1(config)# interface INT1
ASA1(config-if)# nameif outside              
ASA1(config-if)# no shutdown
ASA1(config)# interface INT2
ASA1(config-if)# nameif inside
ASA1(config-if)# no shutdown
ASA1(config)# ip address 10.0.0.253 255.255.255.0               			        ;set management IP address for Firewall device
ASA1(config)# debug icmp trace                          					;turn on debug for icmp traffic thru firewall

Check connection as you can see in Function test before applying access lists.

2)Apply access lists

ASA1(config)# access-list FWRULEIN permit icmp any any
ASA1(config)# access-list FWRULEIN permit udp any any eq 20
ASA1(config)# access-list FWRULEIN permit udp any any eq 21
ASA1(config)# access-list FWRULEIN permit tcp any any eq www 
ASA1(config)# access-list FWRULEIN permit tcp any any eq ftp 

ASA1(config)# access-group FWRULEIN in interface outside

Function test

Pictures are taken from text web browser lynx. You can get similar results from graphical web browser from Linux and Windows.

F1) Before access lists

outside -> inside

ASA1(config)# debug icmp trace									;turn on debugging for icmp
PC1#ping 10.0.0.253										;ping firewall MGMT address
PC1#ping 10.0.0.254										;ping server
PC1#lynx http://10.0.0.254									;iniciate http connection with server - this traffic is permitted by default.
PC1#lynx ftp://10.0.0.254									;iniciate ftp connection with server

Pictures shows result of these commands.

NS2-8.3.3_ASA_DIA1-1

NS2-8.3.3_ASA_DIA1-2

inside -> outside

SERVER#ping 10.0.0.100										;ping PC1 from server

Picture shows result of this command.

NS2-8.3.3_ASA_DIA1-3

F2) After access lists application

outside -> inside

PC1#ping 10.0.0.253										;ping firewall MGMT address
PC1#ping 10.0.0.254										;ping server
PC1#lynx http://10.0.0.254									;iniciate http connection with server
PC1#lynx ftp://10.0.0.254									;iniciate ftp connection with server

Pictures shows result of these commands.

NS2-8.3.3_ASA_DIA2-1

NS2-8.3.3_ASA_DIA2-2

inside -> outside

SERVER#ping 10.0.0.100										;ping PC1 from server

Picture shows result of this command.

NS2-8.3.3_ASA_DIA2-3

Optional tasks

  • Try to configure different types of access lists denying and permitting different types of traffic.
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s