Pages

Monday, 14 May 2012

ASA 5500 Adding a DMZ Step By Step


ASA 5500 Adding a DMZ Step By Step
 
Problem
Assuming you have a working ASA 5500 and you want to add a DMZ to it, this is the process.
Assumptions
1. Networks,
a. Inside network is 10.1.0.0 255.255.0.0
b. Outside network is 123.123.123.120 255.255.255.248
c. DMZ network is 172.16.1.0 255.255.0.0
2. Interfaces,
a. Inside Interface is 10.1.0.254
b. Outside Interface is 172.16.1.254
c. DMZ Interface is 172.16.1.254
3. The Web server in the DMZ will have the following IP addresses,
a. DMZ IP address 172.16.1.1
b. Public IP address 123.123.123.124
4. From the Internet you want to allow web traffic and secure web traffic (http/www andhttps/ssl) to the DMZ Server.
5. The DMZ Server needs to speak to a database server on the inside LAN, on TCP port 1433.
Solution
1. Firstly connect to the ASA log in and go to enable mode.
User Access Verification
Password:
Type help or '?' for a list of available commands.
PetesASA> en
Password: ********
2. Go to configure terminal mode and set up the DMZ interface (In this case Ethernet0/2).
PetesASA# conf t
PetesASA(config)# interface Ethernet0/2
PetesASA((config-if)# nameif DMZ
PetesASA((config-if)# security-level 50
PetesASA((config-if)# ip address 172.16.1.254 255.255.0.0
PetesASA((config-if)# no shutdown
PetesASA((config-if)# exit
3. I like to name the DMZ entities IP addresses so things look neat.
PetesASA(config)# name 172.16.1.1 DMZ-Host-Private-IP
PetesASA(config)# name 123.123.123.124 DMZ-Host-Public-IP
4. Set a some NAT statement to handle traffic flow. (assuming you have a matching global statement like global (outside) 1 xxx - "show run global" will tell you).
PetesASA(config)# nat (DMZ) 1 0.0.0.0 0.0.0.0
Note We are only going to have one DMZ host, and it will have a static mapping - if you had many DMZ hosts then also add "global (DMZ) 1 interface".
5. Now add some static mappings.
PetesASA(config)# static (DMZ,outside) DMZ-Host-Public-IP DMZ-Host-Private-IP netmask 255.255.255.255
PetesASA(config)# static (inside,DMZ) 10.1.0.0 10.1.0.0 netmask 255.255.0.0
PetesASA(config)# static (inside,DMZ) 172.16.1.0 172.16.1.0 netmask 255.255.255.0
6. To let people from outside you need to either create an access-list or add some rules to any existing inbound access-list. ("show run access-group" will tell you, look for an ACLapplies "in" to the outside interface e.g. "access-group outbound in interface inside". We will assume I don't have one so i'll need the access-group at the end.
PetesASA(config)# access-list inbound extended permit tcp any host DMZ-Host-Public-IP eq www
PetesASA(config)# access-list inbound extended permit tcp any host DMZ-Host-Public-IP eq https
PetesASA(config)# access-group inbound in interface outside
7. Now to allow the DMZ host to get to the database server I'm going to allow TCP 1433.
PetesASA(config)# access-list DMZ_outbound extended permit tcp host DMZ-Host-Private-IP host DMS-SQL eq 1433
PetesASA(confi
g)# access-group DMZ_outbound in interface DMZ
8. Finally save the configuration.

Block Facebook & Google Talk on ASA


Block Access to Facebook on Cisco ASA with MPF
Problem
If you have an ASA5510 then this sort of thing would be better handled with a CSCModule, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the best solution
NOTE: This can be used for any web site simply add each URL you want to block.
Solution
1. Log into your firewal,l and enter enable mode, then enter configure terminal mode.
User Access Verification
Password:
Type help or '?' for a list of available commands.
PetesASA> en
Password: ********
PetesASA# conf t
PetesASA(config)#
2. The first thing we are going to do is write a "Regular Expression" that matches Facebook, (Repeat the line adding domainlist2, 3 etc for each additional domain you require to block.)
PetesASA(config)#
PetesASA(config)# regex domainlist1 "facebook.com"
PetesASA(config)#
3. Now we are going to create a "Class-map" which will include our regular expression. (Note: for additional you would simply add multiple match commands.)
PetesASA(config)#
PetesASA(config)# class-map type regex match-any DomainBlockList
PetesASA(config-cmap)# match regex domainlist1
PetesASA(config-cmap)#
4. We are now going to create a second class map, this one is for http inspection, and uses the first class map we created, it basically says, this class map is for http inspection and will inspect for what we declared in the first class map (i.e. Inspect http traffic for any instance of facebook.com).
PetesASA(config)#
PetesASA(config)# class-map type inspect http match-all BlockDomainsClass
PetesASA(config-cmap)# match request header host regex class DomainBlockList
PetesASA(config-cmap)#
5. Now to apply these class-maps we need to use a policy, the rule for policies is, you can have tons of policies but you can only apply one global policy, AND you can also have a policy for each interface, So here Ill create a policy for http inspection and use the classes we created above....
PetesASA(config)#
PetesASA(config)# policy-map type inspect http http_inspection_policy
PetesASA(config-pmap)# class BlockDomainsClass
PetesASA(config-pmap-c)# reset log
PetesASA(config-pmap-c)#
6. Then to knit everything together, I'm going to embed this policy in my firewalls global policy.
PetesASA(config)#
PetesASA(config)# policy-map global_policy
PetesASA(config-pmap)# class inspection_default
PetesASA(config-pmap-c)# inspect http http_inspection_policy
PetesASA(config-pmap-c)#
7. Note: Above I've assumed you have the default global policy, If you haven't, this will not apply until you have applied the global_policy globally, this is done with a service-policy command, check to see if you already have this command in your config, or simply execute the command and the firewall and will tell you, like so....
Note: If it does not error then it was NOT applied :)
PetesASA(config)#
PetesASA(config)# service-policy global_policy global
WARNING: Policy map global_policy is already configured as a service policy
PetesASA(config)#
8. Don't forget the save the config with a "write mem" command.
If you want to have this on a policy of its own, applied to an interface rather than on the Global Policy here is some working code to copy and paste (Credit to Aniket Rodrigues).

regex BLOCKED_DOMAIN_1 "www.facbook.com"
access-list TRAFFIC_TO_INSPECT_FOR_BLOCKED_DOMAINS extended permit tcp any any eq http
class-map type regex match-any CLASS_MAP_BLOCKED_DOMAIN_LIST
  match regex BLOCKED_DOMAIN_1
class-map type inspect http match-all CLASS_MAP_DEFINE_TRAFFIC_TO_INSPECT
  match request header host regex class CLASS_MAP_BLOCKED_DOMAIN_LIST
class-map CLASS_MAP_HTTP_TRAFFIC
  match access-list TRAFFIC_TO_INSPECT_FOR_BLOCKED_DOMAINS
policy-map type inspect http POLICY_MAP_HTTP_INSPECTION
  parameters
  class CLASS_MAP_DEFINE_TRAFFIC_TO_INSPECT
  drop-connection log
policy-map POLICY_MAP_OUTSIDE_INTERFACE
class CLASS_MAP_HTTP_TRAFFIC
  inspect http POLICY_MAP_HTTP_INSPECTION
service-policy POLICY_MAP_OUTSIDE_INTERFACE interface outside


Blocking Google Talk (Cisco ASA)
 
Problem
You want to block access to Google Talk, but not disrupt other services like Google Search and Gmail.
Solution
Yes, you could write a REGEX and block it with an MPF, like I did here, to block Facebook. But Google Talk only runs on 4 servers and uses 4 ports.
1. Connect to the Cisco ASA, and go to configure terminal mode.
PetesASA>
PetesASA> en
Password: ********
PetesASA# configure terminal
PetesASA(config)#
2. Lets keep things neat and name our four Goolge Talkservers.
PetesASA(config)# name 216.239.37.125 Google-Talk-Server-1
PetesASA(config)# name 72.14.253.125 Google-Talk-Server-2
PetesASA(config)# name 72.14.217.189 Google-Talk-Server-3
PetesASA(config)# name 209.85.137.125 Google-Talk-Server-4
3. Then lets create a group for those servers.
PetesASA(config)# object-group network Google-Talk-Servers
PetesASA(config-network-object-group)# network-object host 216.239.37.125
PetesASA(config-network-object-group)# network-object host 72.14.253.125
PetesASA(config-network-object-group)# network-object host 72.14.217.189
PetesASA(config-network-object-group)# network-object host 209.85.137.125
4. And then a group for the ports we want to block.
PetesASA(config-network-object-group)# object-group service Google-Talk-Ports tcp
PetesASA(config-service-object-group)# port-object eq 5222
PetesASA(config-service-object-group)# port-object eq 5223
PetesASA(config-service-object-group)# port-object eq https
PetesASA(config-service-object-group)# port-object eq www
5. To tie it all together we can simply add one ACL.
PetesASA(config-service-object-group)# access-list outbound line 1 deny tcp any object-group Google-Talk-Servers object-group Google-Talk-Ports
Note: This assumes you have an ACL called "outbound" thats applied to your outbound traffic, yours may have a different name, to find out issue a "show run access-group" command like so, your outbound ACL will be allied "in interface inside". If yours is called something different then change the command above accordingly. If you don't have one at all skip to step 6.
PetesASA(config)# show run access-group
access-group outbound in interface inside
access-group inbound in interface outside
PetesASA(config)#
6. Only carry this step out if you DO NOT have an ACL applied to outbound traffic. andAFTER you have carried out step 5.
PetesASA(config)# access-group outbound in interface inside
PetesASA(config)# access-list outbound permit ip any any

Deploy Cisco ASA 55xx in Active / Standby Failover


Deploy Cisco ASA 55xx in Active / Standby Failover
 
Problem

You want to deploy 2 Cisco ASA 55xx Series firewalls in an Active/Standby failover configuration.

Solution

Assumptions.
Hardware on both ASA firewalls is identical.
The correct licence's for failover are installed on both firewalls.
The same software versions are installed on both firewalls.
You have your PRIMARY firewall set up and running correctly (Everything works!).
In this example the firewalls were ASA5510's and all interfaces were being used, so the Management port was used as the "Failover Link" (That needs a security plus licence!).
This Link will use a crossover cable (Only available after version 7.0(2) before that you had to use a switch - I think!).
Also I'm using the same link for LAN Based failover (heartbeat) AND Statefull replication.
IP Addresses
Each interface will need its existing IP address, and an address to use whilst in "Standby". In this example I will use the following,
Outside Interface (Ethernet 0/0) 123.123.123.123 255.255.255.0
Outside Interface STANDBY 123.123.123.124 255.255.255.0
DMZ1 Interface (Ethernet0/1) 192.168.1.1 255.255.255.0
DMZ1 Interface STANDBY 192.168.1.254 255.255.255.0
DMZ2 Interface (Ethernet0/2) 192.168.2.1 255.255.255.0
DMZ2 Interface STANDBY 192.168.2.254 255.255.255.0
Inside Interface (Ethernet 0/3) 172.16.1.1 255.255.255.0
Inside Interface (STANDBY) 172.16.1.254 255.255.255.0
Failover Interface (Management0/0) 172.16.254.254 255.255.255.0
Failover Interface STANDBY 172.16.254.250 255.255.255.0
 
Step 1 Carry Out this procedure on the PRIMARY (Already configured and working) firewall.
 
1. Backup the running config on the primary firewall.
PetesASA# copy run flash:/before_failover.cfg
Source filename [running-config]?
Destination filename [before_failover.cfg]?
Cryptochecksum: babed83d 62a5fba7 e5ea368d 642157bd

8549 bytes copied in 3.670 secs (2849 bytes/sec)
PetesASA#
2. Blow away the config on the interface you are going to use for failover.
PetesASA(config)# clear configure interface m0/0
PetesASA(config)# int m0/0
PetesASA(config-if)# no shut
PetesASA(config)#
3. Change the interface IP addresses – (to add the standby addresses for each interface).
PetesASA(config)#
PetesASA(config)# interface Ethernet0/0
PetesASA(config-if)# speed 100
PetesASA(config-if)# duplex full
PetesASA(config-if)# nameif Outside
PetesASA(config-if)# security-level 0
PetesASA(config-if)# ip address 123.123.123.123 255.255.255.0 standby 123.123.123.124
PetesASA(config-if)# interface Ethernet0/1
PetesASA(config-if)# speed 100
PetesASA(config-if)# duplex full
PetesASA(config-if)# nameif DMZ1
PetesASA(config-if)# security-level 50
PetesASA(config-if)# ip address 192.168.1.1 255.255.255.0 standby 192.168.1.254
PetesASA(config-if)# interface Ethernet0/2
PetesASA(config-if)# speed 100
PetesASA(config-if)# duplex full
PetesASA(config-if)# nameif DMZ2
PetesASA(config-if)# security-level 55
PetesASA(config-if)# ip address 192.168.2.1 255.255.255.0 standby 192.168.2.254
PetesASA(config-if)# interface Ethernet0/3
PetesASA(config-if)# speed 100
PetesASA(config-if)# duplex full
PetesASA(config-if)# nameif Inside
PetesASA(config-if)# security-level 100
PetesASA(config-if)# ip address 172.16.1.1 255.255.255.0 standby 172.16.1.254
PetesASA(config-if)# exit
PetesASA(config)#

4. Set up the failover LAN interface (In config mode!).
PetesASA(config)#
PetesASA(config)# failover lan interface failover m0/0
INFO: Non-failover interface config is cleared on Management0/0 and its sub-interfaces
PetesASA(config)#

5. Setup failover link IP address.
PetesASA(config)#
PetesASA(config)# failover interface ip failover 172.16.254.254 255.255.255.0 standby 172.16.254.250
PetesASA(config)#

6. Setup a shared key.
PetesASA(config)#
PetesASA(config)# failover lan key 666999
PetesASA(config)#

7. Set it as the primary firewall.
PetesASA(config)#
PetesASA(config)# failover lan unit primary
PetesASA(config)#
8. Turn on failover.
PetesASA(config)#
PetesASA(config)# failover
PetesASA(config)#
9. Now we need to enable statefull failover.
PetesASA(config)#
PetesASA(config)# failover link failover Management0/0
PetesASA(config)#
10. Save the config.
PetesASA(config)#
PetesASA(config)# write mem
Building configuration...
Cryptochecksum: 5c8dfc45 ee6496db 8731d2d5 fa945425

8695 bytes copied in 3.670 secs (2898 bytes/sec)
[OK]
PetesASA(config)#

Cannot Access / Open ASDM

Cannot Access / Open ASDM
 
Problem
Out of the box Cisco PIX/ASA devices should have a working ASDM. This config can get broken over time, and also there are a few things that can trip you up on your client machine.
Solution
Make sure the client machine you are using is not the problem
1. The ASDM runs using Java make sure the machine has Java installed.
2. Make sure the internet browser you are using is supported:
Operating SystemBrowserSun Java SE Plug-in1
Internet ExplorerFirefox2Safari
Microsoft Windows (English and Japanese):
7
Vista
2008 Server
XP
6.0 or later1.5 or laterNo support6.0
Apple Macintosh OS X:
10.6
10.5
10.4
No support1.5 or later2.0 or later6.0
Red Hat Enterprise Linux 5 (GNOME or KDE):
Desktop
Desktop with Workstation
N/A1.5 or laterN/A6.0
Note: Support for Java 5.0 was removed in ASDM 6.4. Obtain Sun Java updates from java.sun.com.
Note: ASDM requires an SSL connection from the browser to the ASA. By default, Firefox does not support base encryption (DES) for SSL and therefore requires the ASA to have a strong encryption (3DES/AES) license. As a workaround, you can enable the security.ssl3.dhe_dss_des_sha setting in Firefox. See http://kb.mozillazine.org/About:config to learn how to change hidden configuration preferences.
3. Make sure you are NOT trying to access the ASDM through a proxy server, this is a common "gotcha"!
4. Can another machine access the ASDM?
5. If the ASDM opens but does not display correctly, then do the following, File > Clear ASDM Cache > File > Clear Internal Log Buffer > File > Refresh ASDM with the running Configuration on the Device.
Make sure the ASA is configured correctly, and your PC is "allowed" access
1. Connect to the firewall using either SSHTelnet, or via the Console Cable.
2. Log into the firewall, go to enable mode > Enter the enable password.
Type help or '?' for a list of available commands.
PetesASA>
PetesASA> en
Password: ********
PetesASA#
3. The ASDM is enabled with the command "http server enabled", to make sure that's there issue a "show run http" command"
PetesASA# show run http
http server enable
http 10.254.254.0 255.255.255.0 inside
http 123.123.123.123 255.255.255.255 outside
Note: if the command is NOT there, you need to issue the following three commands:
PetesASA# configure terminal
PetesASA(config)# http server enable
PetesASA(config)# write mem
Building configuration...
Cryptochecksum: 9c4700fe 475d22c4 13442d06 b0317c69
9878 bytes copied in 1.550 secs (9878 bytes/sec)
[OK]
PetesASA(config)#
Note: If you see a number after the command e.g. "http server enable 2456" then you need to access the ASDM on that port, like so {IP address/Name of ASA}:2456 (This is common if you're port forwarding https but you still want to access the ASDM externally).
4. Assuming that the ASDM has been enabled, the IP address you are accessing from (or the subnet you are on) also needs to be allowed access. You will notice in step 3 above that when you issue the show run http command, it also shows you the addresses that are allowed access, if yours is NOT listed you can add it as follows:
PetesASA# configure terminal
PetesASA(config)# http 10.254.254.5 255.255.255.255 inside
PetesASA(config)# http 10.254.254.0 255.255.255.0 inside
PetesASA(config)# http 123.123.123.123 255.255.255.255 outside
PetesASA(config)# write mem
Building configuration...
Cryptochecksum: 9c4700fe 475d22c4 13442d06 b0317c89
9878 bytes copied in 1.550 secs (9878 bytes/sec)
[OK]
PetesASA(config)#
5. At this point try and access the ASDM again.
6. The ASA needs to be told what file to use for the ASDM, to make sure its been told issue the following command, (If there is NOT one specified then skip forward to step 7 to see if there is an ASDM image on the firewal)l.
PetesASA# show run asdm
asdm image disk0:/asdm-631.bin
Note: on a Cisco PIX the results will look like..
PetesPIX# show run asdm
asdm image flash:/asdm-501.bin
7. Write down the file that it has been told to use (in the example above asdm-632.bin). Then make sure that file is actually in the firewalls memory with a "show flash" command.
PetesASA# show flash
--#-- --length-- -----date/time------ path
142 15943680 May 08 2010 18:10:42 asa831-k8.bin
144 14240396 May 08 2010 18:11:50 asdm-631.bin
3 2048 Jul 21 2009 12:04:26 log
6 2048 Apr 28 2010 15:08:32 crypto_archive
163 393828 Feb 14 2010 12:23:28 crypto_archive/crypto_arch_1.bin
164 393828 Apr 28 2010 15:08:32 crypto_archive/crypto_arch_2.bin
147 9526560 Jul 21 2009 12:04:52 csd_3.4.1108.pkg
148 2048 Jul 21 2009 12:04:54 sdesktop
150 2648712 Jul 21 2009 12:04:54 anyconnect-win-2
.3.0254-k9.pkg

127135744 bytes total (29583360 bytes free)
Note: If the file you are looking for is NOT there then (providing you have a valid support agreement with Cisco) download an ASDM image and load it into the firewall see here for instructions.
Note: If the file is in the flash memory but was not referenced in step 6 then you can add the reference with the following command (obviously change the filename to match the one that's listed in your flash memory).
PetesASA# configure terminal
PetesASA(config)# asdm image disk0:/asdm-631.bin
PetesASA(config)# write mem
Building configuration...
Cryptochecksum: 9c4700fe 475d22c4 13442d06 b0317c89
9878 bytes copied in 1.550 secs (9878 bytes/sec)
[OK]
PetesASA(config)#
 

RDP to Multiple Servers with a Cisco PIX/ASA Firewall


RDP to Multiple Servers with a Cisco PIX/ASA Firewall
 
Problem
You want to connect via "Remote Desktop" to multiple servers behind your firewall. To do this you have three options.
Solution
Option 1 (Use if you have multiple free Public IP addresses)
Connect to the firewall, go to enable mode, then go to "Configure Terminal Mode", and create a names entity for each Servers public and Private Address
Petes-ASA> en
Password: *********
Petes-ASA#
Petes-ASA#configure terminal
Petes-ASA(config)#
Petes-ASA(config)# name 192.168.1.1 Server1-Internal
Petes-ASA(config)# name 192.168.1.2 Server2-Internal
Petes-ASA(config)# name 123.123.123.123 Server1-External
Petes-ASA(config)# name 123.123.123.124 Server2-External
Now Allow RDP to both of the servers with an Access con troll list and apply that access con troll list to the outside interface (Note if you already have in inbound ACL simply substitute the name "inbound" for yours.
Petes-ASA(config)# access-list inbound extended permit tcp any host Server1-External eq 3389
Petes-ASA(config)# access-list inbound extended permit tcp any host Server2-External eq 3389
Petes-ASA(config)# access-group inbound in interface outside
 
Option 2 (Uses Port Forwarding and uses a different port for each server).
To deploy this option the ASA will accept the connection for each server on a different port, to do this each server must listen on a different port.
Connect to the firewall, go to enable mode, then go to "Configure Terminal Mode" then allow each port you are going to use (in this case 3389 and 3390)
Petes-ASA> en
Password: *********
Petes-ASA#
Petes-ASA#configure terminal
Petes-ASA(config)#
Petes-ASA(config)# access-list inbound extended permit tcp any interface outside eq 3389
Petes-ASA(config)# access-list inbound extended permit tcp any interface outside eq 3390
Then Port Forward those ports to the correct internal servers.
Petes-ASA(config)# static (inside,outside) tcp interface 3389 192.168.1.1 3389 netmask 255.255.255.255
Petes-ASA(config)# static (inside,outside) tcp interface 3390 192.168.1.2 3390 netmask 255.255.255.255
 
Option 3 (Uses Port Forwarding and uses a different port for each server).
This differs from option 2 because in this example the firewall will translate each incoming port to RDP 3389 and sent it to the correct Server.
Petes-ASA> en
Password: *********
Petes-ASA#
Petes-ASA#configure terminal
Petes-ASA(config)#
Petes-ASA(config)# access-list inbound extended permit tcp any interface outside eq 3389
Petes-ASA(config)# access-list inbound extended permit tcp any interface outside eq 3390
Then Port Forward AND TRANSLATE those ports to the correct internal servers.
Petes-ASA(config)# static (inside,outside) tcp interface 3389 192.168.1.1 3389 netmask 255.255.255.255
Petes-ASA(config)# static (inside,outside) tcp interface 3390 192.168.1.2 3389 netmask 255.255.255.255

Cisco PIX / ASA Port Forwarding


Cisco PIX / ASA Port Forwarding

Using Command Line, ASDM and PDM

 

Problem

Note: Port forwarding has changed on PIX/ASA devices running OS 8.3 for the new syntax go here.

Cisco PIX/ASA Port forwarding (Pre Version 8.3)

Port forwarding on Cisco firewall's can be a little difficult to get your head around, to better understand what is going on remember in the "World of Cisco" you need to remember two things.....
1. NAT Means translate Many addresses to FEW Addresses
2. PAT Means translate many addresses to ONE Address.
Why is that important you ask? Well most networking types assume NAT is translating one address to many,BUT on a Cisco device this is PAT, and it uses (as the name implies) port numbers to track everything. e.g. the first connection out might be seen on the firewall as 123.123.123.123:1026 and the second connection outbound might be seen as 123.123.123.123:2049 so when the traffic comes back the firewall knows where to send it.
Fair enough but what has that got to do with Port Forwarding? Well you can use the exact same system to lock a port to an IP address - so if only one port can go to one IP address then that's going to give you port forwarding :)
To make matters more confusing (sorry) you configure PAT in the NAT settings, for this very reason it confuses the hell out of a lot of people and the GUI is not intuitive for configuring Port forwarding (the ADSM is better than the old PDM) but most people prefer to use command line to do port forwarding.
Below you will find
Option 1 Use Command Line Interface
Option 2 Use ASDM (PIX v7 and ASA Only)
Option 3 Use PDM (PIX v6 Only)
Solution
 

Option 1 Use the Command Line to Port Forward (pre version 8.3)
1 Port to 1 IP Address

 

Warning Notice
User Access Verification
Password:
Type help or '?' for a list of available commands.
firewall>
1. First things first, you will need to know what port you want to forward, and where you want to forward it, for this example We will assume I've got a server at 10.254.254.1 and Its a mail server so I want to Forward all TCP Port 25 traffic to it. connect to the Firewall via Console/Telnet or SSH
firewall> enable
Password: ********
firewall#
2. Enter enable mode, and enter the enable mode password.
firewall# configure terminal
firewall(config)#
3. Now we need to go to configuration mode.
firewall(config)#access-list inbound permit tcp any interface outside eq smtp
firewall(config)#
4. Before we can configure port forwarding we need to allow the traffic (this is a firewall after all), to allow traffic you need an access list.
firewall(config)#access-group inbound in interface outside
firewall(config)#
5. Remember access-lists WONT work if you don't apply them to an interface, so we apply this one to the outside interface with an access-group command
firewall(config)#static (inside,outside) tcp interface smtp 10.254.254.1 smtp netmask 255.255.255.255
firewall(config)#
6. Lastly the command that actually does the port forwarding. (static command)
firewall(config)# write memory
Building configuration...
Cryptochecksum: aab5e5a2 c707770d f7350728 d9ac34de
[OK]
firewall(config)#
7. Don't forget to save your hard work. (write memory)
 

Option 2 Use the ASDM (PIX V7 and ASA5500)
1 Port to 1 IP Address

 
1. As above you will need to know the port and the IP to forward it to, Launch the ASDM, Select Configuration > Security Policy > Then either Rule Add, or right click the incoming rules and select "Add Access Rule"
2. Interface = Outside > Direction = Incoming > Action = Permit > Source = Any > Destination, Type = Interface IP, Interface = Outside > Protocol = TCP > Destination Port Source = smtp > OK > Apply.
3. Back at the main screen select Configuration > NAT > Add, or Right Click an Existing mapping and click "Add Static NAT Rule"
4. Real Address Interface = Inside > IP Address = 10.254.254.1 > Netmask = 255.255.255.255 > Static Translation Interface = outside > IP Address = (Interface IP) > Tick "Enable Port Translation (PAT) > Protocol = TCP > Original Port = smtp > Translated Port =smtp > OK > Apply.
5. File > "Save Running Configuration to Flash."
.

Option 3 Use the PIX Device Manager (PIX Version 6 Only)
1 Port to 1 IP Address

 
1. As above you will need to know the port and the IP to forward it to, Launch the PIX Device manager, Select Configuration > Access Rules > Then either click "Rule"s > Add or Right click an incoming rule and select > "Insert Before" or "Insert After".
2. Under the "Action" select "Permit", Under Source Host/Network Select "Outside", and all the zeros, Under Destination Host/Network Select "Inside" and all the zeros then set the "Destination Port" to smtp > OK > Apply.
3, Now select the "Translation Rules" tab, Rules Add or Right click a rule and select "Insert before" or "Insert After".
4. In this example I've set it to forward all TCP Port 25 traffic to 10.254.254.10 (NOTE: I've blurred out the public IP Address you will need to add this also. > OK > Apply.
5. Finally save your work > File > "Save Running Configuration to Flash." > Exit.
 

Cisco PIX/ASA Port forwarding (Post Version 8.3)

 
Note: Port forwarding has changed on PIX/ASA devices running OS 8.3 and above,in regards to port forwarding. There is no longer a global command, for a full rundown of the changes click here.
If you issue a global command after version 8.3 you will see this error,
ERROR: This syntax of nat command has been deprecated.
Please refer to "help nat" command for more details.

From Command Line


Warning Notice
User Access Verification
Password:
Type help or '?' for a list of available commands.
PetesASA>
1. First things first, you will need to know what port you want to forward, and where you want to forward it, for this example We will assume I've got a server at 10.254.254.5 and Its a mail server so I want to Forward all TCP Port 80 traffic (HTTP) to it. connect to the Firewall via Console/Telnet or SSH
PetesASA> enable
Password: ********
PetesASA#
2. Enter enable mode, and enter the enable mode password.
PetesASA# configure terminal
PetesASA(config)#
3. Now we need to go to configuration mode.
PetesASA# configure terminal
PetesASA(config)# object network Internal_Web_Server
PetesASA(config-network-object)# host 10.254.254.5
4. Create an object for the web server that the traffic is going to be forwarded to.
PetesASA(config-network-object)# nat (inside,outside) static interface service tcp http http
PetesASA(config-network-object)# exit
5. Then create a NAT translation for the port to be forwarded. then you can exit the network object prompt.
PetesASA(config)# access-list inbound permit tcp any object Internal_Web_Server eq http
6. Now you need to allow the http traffic in
PetesASA(config)# access-group inbound in interface outside
PetesASA(config)#
7. Remember access-lists WONT work if you don't apply them to an interface, so we apply this one to the outside interface with an access-group command
PetesASA(config)# write memory
Building configuration...
Cryptochecksum: aab5e5a2 c707770d f7350728 d9ac34de
[OK]
PetesASA(config)#
8. Don't forget to save your hard work. (write memory)

Backup and Restore a Cisco Firewall


Backup and Restore a Cisco Firewall.

 

Problem

There are many different versions of PIX and ASA Firewall's, if you want to get a backup of the configuration and save it elsewhere - so in the event of a failure, (or more likely someone tinkering and breaking the firewall). you will be able to recall and restore that configuration. By far the easiest is to use a TFTP server - and it works on ALL versions, so learn it once and use it many times.
Note: Some people flatly refuse to use command line, if that's you, you can also backup and restore from the ASDM click here.
OK for starters you need to get a TFTP server - while this sounds very grand, its a little piece of software that will run on just about any windows PC, I use an application called 3CDeamon and I've put information on how to get it and how to set it up (about 5 min's work) HERE.
So I'll assume you have the TFTP server installed and running and you know what IP address the machine that's running it, is using.
NOTETFTP uses TCP Port 69 if you have firewall's in between the one you are working on, and the TFTPserver then this port needs to be open.

Solution

Backup

1. Connect to the firewall via Telnet, Console Cable or SSH, then go to enable mode, type in the enable password.
ciscoasa> en
Password:*********
ciscoasa#

2. To back up the firewall you need to specify the IP address of where you want to send it(i.e. the TFTP server), what you want to call the backup, and you tie them together with a "Write Net" command. The syntax is,
write net {ip address}:{filename} 
ciscoasa# write net 172.254.1.2:firewall_backup
Building configuration...
INFO: Default tftp-server not set, using highest security interface
Cryptochecksum: 85c211cb 3099b392 9e7206e6 e1548bcd
!
[OK]
ciscoasa#
3. On your TFTP server you will see that a file has been received.
4. If you look in the TFTP server root directory you will find the file, though it has no file extension you can open it and view it using a text editor like notepad or wordpad, just remember NOT to save it with a txt or rtf extension when you close it again. Keep it safe you will need it if you ever want to restore.

Restore

1. To restore you must have already backed up the firewall earlier and have that backup in the TFTP servers root directory.
2. Connect to the firewall via Telnet, Console Cable or SSH, then go to enable mode, type in the enable password.
ciscoasa> en
Password:*********
ciscoasa#
3. Enter configuration mode using the "conf t" command.
ciscoasa# conf t
ciscoasa(config)#
4. Unlike when you backed up the firewall to restore the configuration you use the copy tftp start command.
ciscoasa(config)# copy tftp start
5. Supply it with the IP address of your TFTP Server.
Address or name of remote host []? 172.254.1.2
6. Supply it with the name of the file you backed up earlier.
Source filename []? firewall_backup
7. The file will get copied over.
Accessing tftp://172.254.1.2/firewall_backup...!
Writing system file...
!
2974 bytes copied in 0.90 secs
ciscoasa(config)#
8. On your TFTP server you will see the file being "copied out"
9. Not finished yet, the file now lives in the "Startup" configuration so its not been loaded from memory yet, the best way to do this is to reboot the firewall. To do this issue the reload command, and confirm by pressing enter.
ciscoasa(config)# reload
Proceed with reload? [confirm]
ciscoasa(config)#
***
*** --- START GRACEFUL SHUTDOWN ---
Shutting down isakmp
Shutting down webvpn
Shutting down File system

***
*** --- SHUTDOWN NOW ---
10. After the reboot, you will be running on the restored configuration.
 
Note: With a Version 6 Firewall - restoring a config from TFTP simply "Merges" the new one with the config on the firewall, in most cases this is NOT what you want, to get round this place the following command at the top of the config you are restoring
clear config all

Backup a Cisco 5500 firewall from the ASDM

1. Connect to the firewall via ASDM, then Tools > Backup Configuration.
asdm backup configuration
2. Browse Local.
asdm backup browse
3. Find somewhere to put the backup that you will be able to locate.
asdm backup locate
4. In this instance Ill "Backup All" > Backup.
 asa backup all
5. Let it do its own thing > Close.
asdm backup progress
6. Take a quick look at the report > OK.
asdm backup report

Restore a Cisco 5500 firewall from the ASDM

1. Connect to the firewall via ASDM, then Tools > Restore Configuration.
asdm backup configuration
8. Browse Local.
browse backup
9. Locate your backup and select it.
asdm backup
10. Next.
locate backup
11. In this instance I'm just going to restore the Start-up-configuration (Note: that means I will need to reboot the firewall when restored, before the restored config takes effect) > Restore.
asdm backup start-up-config
12. You will be asked if you want to merge or replace the config. (Note: merge is handy if there's been a couple of config changes) > I'm going to replace it.
merge config
13. Let it restore the files, then restart ASDM.
asdm restore asa

ICMP PING CMD IN FIREWALL & ASDM


Cisco Firewalls and PING(Note: Tracert uses Ping protocols and the firewall treats ping and tracert the same)
 
Problem
With regards to Ping, out of the box a Cisco firewall will allow you to ping the interface you are connected to, so in a normal setup inside clients can ping the inside interface, and the firewalls outside interface can be pinged from outside.

OK – to understand pinging through a Cisco Firewall you need to understand that Ping is part of the ICMP protocol suite, and unlike other protocols is not “connection orientated” what that means is, (on a new firewall that has no rules applied outbound) the firewall happily lets ping traffic out but it won’t let ping traffic back in – this results in a failure on the client.
Solution
Cisco ASA and Cisco PIX (version 7 and above) From CLI
Version 7 introduced an ICMP inspection engine so that it could track ICMP requests like other protocols. It’s NOT turned on by default. And the command is “inspect icmp” but you need to enter the default map first (this assumes you have the standard policy-map).Connect to the firewall and use the following commands from config terminal mode. then save the changes with a "write mem" command.
PetesASA>
PetesASA> 
en
Password: 
********
PetesASA# 
conf t
PetesASA(config)# 
policy-map global_policy
PetesASA(config)# (config-pmap)#
 class inspection_default
PetesASA(config)#
 inspect icmp
PetesASA(config)# 
write mem
Building configuration...
Cryptochecksum: 5c8dfc45 ee6496db 8731d2d5 fa945425
8695 bytes copied in 3.670 secs (2898 bytes/sec)
[OK]
PetesASA(config)#
Cisco ASA and Cisco PIX (version 7 and above) From ASDM
Connect to the ASDM > Configuration > Firewall > Service Policy Rules > Select "inspection_default" > Edit > Rule Actions > Tick ICMP > OK > Apply > File > Save running configuration to flash.
Cisco PIX (version 6 and below) From CLI
Older firewall do not have an inspection map, nor was there a "fixup" for ICMP and ping traffic, so you need to explicitly allow the return icmp traffic back in. Note: this assumes you already have an inbound access-list called "inbound", and we are adding some more lines to it, change the works inbound to match the name/number of your inbound access list (the "show access-group" will tell you what is applied to the outside interface) e.g.
PetesASA>
PetesASA> en
Password:
 ********
PetesASA# show access-group
access-group inbound in interface outside <<This ones called inbound.
If you already have an access-list applied then simply substitute the name word "inbound" for the name on your ACL.
PetesASA# conf t
PetesASA(config)# access-list inbound permit icmp any any echo-reply 
PetesASA(config)# access-list inbound permit icmp any any time-exceeded 
PetesASA(config)# 
access-list inbound permit icmp any any unreachable
PetesASA(config)# 
access-list inbound permit icmp any any source-quench
If you HAD an inbound ACL skip this step, If you didn't have one you need to apply the ACL with an access-group command.
PetesASA(config)# access-group inbound in interface outside
Lastly save your work with a write mem command.
PetesASA# write mem
Building configuration...
Cryptochecksum: 4d7f7ccd 5c55a9e1 6ced12c4 46728bc7
[OK]
PetesASA#
Cisco PIX (version 6 and below) From PDM
Connect to the PDM > Configuration > Access Rules > Rules > Add > Permit > Outside Inside > Tick ICMP > Select "echo-reply"> OK > Apply > File > Save running configuration to flash.
Then repeat for time-exceeded, unreachable and source-quench
Stop Interfaces replying to Ping traffic
As stated above all firewall interfaces will respond to pings if they are on the network you are connected to. To stop this you use the "icmp" command.
Do the same from ASDM
Connect to the ASDM > Configuration > Device Management > Management Access > ICMP > Add > Select ICMP type > Interface > Action > OK > Apply > File > Save running configuration to flash.
Do the same from PDM
Connect to the PDM > Configuration > system Properties > Administration > ICMP > Add > > Specify the Type, Interface, Source etc > OK > Apply > File > Save running configuration to flash.