Lab 3: ASA Basic Configuration
Lab 3: ASA Basic Configuration
LAB Topology
This Lab was developed on IOS Version 15.6(2)T and ASA Virtual 9.8. The objective of the lab is to get device ready for communication and analyze the traffic flow through firewall.
Task 1: Initial Configuration:
Step 1: Configure all the routers with their respective IP address and static routes (refer LAB Topology).
Router#conf t Router(config)#hostname IN IN(config)#interface fa0/0 IN(config-if)#ip address 100.0.0.1 255.255.255.0 IN(config-if)#no sh IN(config-if)#exit IN(config-if)#exit IN(config)#ip route 0.0.0.0 0.0.0.0 100.0.0.10 IN(config)#line vty 0 4 IN(config-line)#password cisco IN(config-line)#login IN(config-line)#exit IN(config)#exit Router#conf t Router(config)#hostname OUT OUT(config)#interface fa0/0 OUT(config-if)#ip address 200.0.0.2 255.255.255.0 OUT(config-if)#no sh OUT(config-if)#exit OUT(config-if)#exit OUT(config)# OUT(config)#ip route 100.0.0.0 255.255.255.0 200.0.0.10 OUT(config)#ip route 1.1.1.0 255.255.255.0 200.0.0.10 OUT(config)#line vty 0 4 OUT(config-line)#password cisco OUT(config-line)#login OUT(config-line)#exit OUT(config)#exit Router#conf t Router(config)#hostname DMZ DMZ(config)#interface fa0/0 DMZ(config-if)#ip address 1.1.1.3 255.255.255.0 DMZ(config-if)#no sh DMZ(config-if)#exit DMZ(config)# DMZ(config)# DMZ(config)#ip route 0.0.0.0 0.0.0.0 1.1.1.10 DMZ(config)#line vty 0 4 DMZ(config-line)#password cisco DMZ(config-line)#login DMZ(config-line)#exit DMZ(config)#exit
Task 2: Configuration on ASA Firewall:
Step 1: Configure ASA Firewall with IP address and zone information (refer LAB Topology).
ciscoasa> en Password: ciscoasa# conf t ciscoasa(config)# interface gi0/0 ciscoasa(config-if)# ip address 100.0.0.10 255.255.255.0 ciscoasa(config-if)# nameif inside INFO: Security level for "inside" set to 100 by default. ciscoasa(config-if)# no sh ciscoasa(config-if)# exit ciscoasa(config)# interface gi0/1 ciscoasa(config-if)# ip address 200.0.0.10 255.255.255.0 ciscoasa(config-if)# nameif outside INFO: Security level for "outside" set to 0 by default. ciscoasa(config-if)# no sh ciscoasa(config-if)# exit ciscoasa(config)# interface gi0/2 ciscoasa(config-if)# ip address 1.1.1.10 255.255.255.0 ciscoasa(config-if)# nameif dmz INFO: Security level for "dmz" set to 0 by default. ciscoasa(config-if)# security-level 50 ciscoasa(config-if)# no sh ciscoasa(config-if)# exit
Step 2: Verify the IP address and zone information on ASA firewall.
ciscoasa(config)# show interface ip brief
Interface IP-Address OK? Method Status Protocol
1
GigabitEthernet0/0 100.0.0.10 YES manual up up
GigabitEthernet0/1 200.0.0.10 YES manual up up
GigabitEthernet0/2 1.1.1.10 YES manual up up
GigabitEthernet0/3 unassigned YES unset administratively down
up
GigabitEthernet0/4 unassigned YES unset administratively down up
GigabitEthernet0/5 unassigned YES unset administratively down up
GigabitEthernet0/6 unassigned YES unset administratively down up
Management0/0 unassigned YES unset administratively down up
ciscoasa(config)# show nameif
Interface Name Security
GigabitEthernet0/0 inside 100
GigabitEthernet0/1 outside 0
GigabitEthernet0/2 dmz 50
ciscoasa(config)# wr
Building configuration...
Cryptochecksum: 3002b2ff ef849a90 3814bb98 20c0a7c3
7324 bytes copied in 0.440 secs
[OK]
Step 3: Inspect the flow of traffic between zones through ASA firewall.
IN#telnet 200.0.0.2 Trying 200.0.0.2 ... Open User Access Verification Password: OUT> ciscoasa(config)# sh conn 1 in use, 1 most used TCP outside 200.0.0.2:23 inside 100.0.0.1:19180, idle 0:00:09, bytes 337, flags UIO IN#telnet 1.1.1.3 Trying 1.1.1.3 ... Open User Access Verification Password: DMZ> ciscoasa(config)# sh conn 2 in use, 2 most used TCP dmz 1.1.1.3:23 inside 100.0.0.1:24438, idle 0:00:02, bytes 119, flags UIO DMZ#telnet 200.0.0.2 Trying 200.0.0.2 ... Open User Access Verification Password: OUT> ciscoasa(config)# sh conn 1 in use, 1 most used TCP outside 200.0.0.2:23 dmz 1.1.1.3:39204, idle 0:00:05, bytes 127, flags UIO OUT#telnet 100.0.0.1 Trying 100.0.0.1 ... % Connection timed out; remote host not responding OUT#telnet 1.1.1.3 Trying 1.1.1.3 ... % Connection timed out; remote host not responding DMZ#telnet 100.0.0.1 Trying 100.0.0.1 ... % Connection timed out; remote host not responding