ASA 5500 Adding a DMZ Step By Step

ASA 5500 Adding a DMZ Step By Step

Problem

Assuming you have a working ASA 5500 and you want to add a DMZ to it, this is the process. Assumptions 1. Networks, a. Inside network is 10.1.0.0 255.255.0.0 b. Outside network is 123.123.123.120 255.255.255.248 c. DMZ network is 172.16.1.0 255.255.0.0 2. Interfaces, a. Inside Interface is 10.1.0.254 b. Outside Interface is 172.16.1.254 c. DMZ Interface is 172.16.1.254 3. The Web server in the DMZ will have the following IP addresses, a. DMZ IP address 172.16.1.1 b. Public IP address 123.123.123.124 4. From the Internet you want to allow web traffic and secure web traffic (http/www andhttps/ssl) to the DMZ Server. 5. The DMZ Server needs to speak to a database server on the inside LAN, on TCP port 1433.

Solution

1. Firstly connect to the ASA log in and go to enable mode.

User Access Verification Password: Type help or '?' for a list of available commands. PetesASA> en Password: ********

2. Go to configure terminal mode and set up the DMZ interface (In this case Ethernet0/2).

PetesASA# conf t PetesASA(config)# interface Ethernet0/2 PetesASA((config-if)# nameif DMZ PetesASA((config-if)# security-level 50 PetesASA((config-if)# ip address 172.16.1.254 255.255.0.0 PetesASA((config-if)# no shutdown PetesASA((config-if)# exit

3. I like to name the DMZ entities IP addresses so things look neat.

PetesASA(config)# name 172.16.1.1 DMZ-Host-Private-IP PetesASA(config)# name 123.123.123.124 DMZ-Host-Public-IP

4. Set a some NAT statement to handle traffic flow. (assuming you have a matching global statement like global (outside) 1 xxx - "show run global" will tell you).

PetesASA(config)# nat (DMZ) 1 0.0.0.0 0.0.0.0

Note We are only going to have one DMZ host, and it will have a static mapping - if you had many DMZ hosts then also add "global (DMZ) 1 interface".

5. Now add some static mappings.

PetesASA(config)# static (DMZ,outside) DMZ-Host-Public-IP DMZ-Host-Private-IP netmask 255.255.255.255 PetesASA(config)# static (inside,DMZ) 10.1.0.0 10.1.0.0 netmask 255.255.0.0 PetesASA(config)# static (inside,DMZ) 172.16.1.0 172.16.1.0 netmask 255.255.255.0

6. To let people from outside you need to either create an access-list or add some rules to any existing inbound access-list. ("show run access-group" will tell you, look for an ACLapplies "in" to the outside interface e.g. "access-group outbound in interface inside". We will assume I don't have one so i'll need the access-group at the end.

PetesASA(config)# access-list inbound extended permit tcp any host DMZ-Host-Public-IP eq www PetesASA(config)# access-list inbound extended permit tcp any host DMZ-Host-Public-IP eq https PetesASA(config)# access-group inbound in interface outside

7. Now to allow the DMZ host to get to the database server I'm going to allow TCP 1433.

PetesASA(config)# access-list DMZ_outbound extended permit tcp host DMZ-Host-Private-IP host DMS-SQL eq 1433 PetesASA(config)# access-group DMZ_outbound in interface DMZ

8. Finally save the configuration.

Block Facebook & Google Talk on ASA

Block Access to Facebook on Cisco ASA with MPF

Problem

If you have an ASA5510 then this sort of thing would be better handled with a CSCModule, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the best solution NOTE: This can be used for any web site simply add each URL you want to block.

Solution

1. Log into your firewal,l and enter enable mode, then enter configure terminal mode. User Access Verification Password: Type help or '?' for a list of available commands. PetesASA> en Password: ******** PetesASA# conf t PetesASA(config)# 2. The first thing we are going to do is write a "Regular Expression" that matches Facebook, (Repeat the line adding domainlist2, 3 etc for each additional domain you require to block.) PetesASA(config)# PetesASA(config)# regex domainlist1 "facebook.com" PetesASA(config)# 3. Now we are going to create a "Class-map" which will include our regular expression. (Note: for additional you would simply add multiple match commands.) PetesASA(config)# PetesASA(config)# class-map type regex match-any DomainBlockList PetesASA(config-cmap)# match regex domainlist1 PetesASA(config-cmap)# 4. We are now going to create a second class map, this one is for http inspection, and uses the first class map we created, it basically says, this class map is for http inspection and will inspect for what we declared in the first class map (i.e. Inspect http traffic for any instance of facebook.com). PetesASA(config)# PetesASA(config)# class-map type inspect http match-all BlockDomainsClass PetesASA(config-cmap)# match request header host regex class DomainBlockList PetesASA(config-cmap)# 5. Now to apply these class-maps we need to use a policy, the rule for policies is, you can have tons of policies but you can only apply one global policy, AND you can also have a policy for each interface, So here Ill create a policy for http inspection and use the classes we created above.... PetesASA(config)# PetesASA(config)# policy-map type inspect http http_inspection_policy PetesASA(config-pmap)# class BlockDomainsClass PetesASA(config-pmap-c)# reset log PetesASA(config-pmap-c)# 6. Then to knit everything together, I'm going to embed this policy in my firewalls global policy. PetesASA(config)# PetesASA(config)# policy-map global_policy PetesASA(config-pmap)# class inspection_default PetesASA(config-pmap-c)# inspect http http_inspection_policy PetesASA(config-pmap-c)# 7. Note: Above I've assumed you have the default global policy, If you haven't, this will not apply until you have applied the global_policy globally, this is done with a service-policy command, check to see if you already have this command in your config, or simply execute the command and the firewall and will tell you, like so.... Note: If it does not error then it was NOT applied :) PetesASA(config)# PetesASA(config)# service-policy global_policy global WARNING: Policy map global_policy is already configured as a service policy PetesASA(config)# 8. Don't forget the save the config with a "write mem" command. If you want to have this on a policy of its own, applied to an interface rather than on the Global Policy here is some working code to copy and paste (Credit to Aniket Rodrigues). regex BLOCKED_DOMAIN_1 "www.facbook.com" access-list TRAFFIC_TO_INSPECT_FOR_BLOCKED_DOMAINS extended permit tcp any any eq http class-map type regex match-any CLASS_MAP_BLOCKED_DOMAIN_LIST   match regex BLOCKED_DOMAIN_1 class-map type inspect http match-all CLASS_MAP_DEFINE_TRAFFIC_TO_INSPECT   match request header host regex class CLASS_MAP_BLOCKED_DOMAIN_LIST class-map CLASS_MAP_HTTP_TRAFFIC   match access-list TRAFFIC_TO_INSPECT_FOR_BLOCKED_DOMAINS policy-map type inspect http POLICY_MAP_HTTP_INSPECTION   parameters   class CLASS_MAP_DEFINE_TRAFFIC_TO_INSPECT   drop-connection log policy-map POLICY_MAP_OUTSIDE_INTERFACE class CLASS_MAP_HTTP_TRAFFIC   inspect http POLICY_MAP_HTTP_INSPECTION service-policy POLICY_MAP_OUTSIDE_INTERFACE interface outside

Blocking Google Talk (Cisco ASA)

Problem

You want to block access to Google Talk, but not disrupt other services like Google Search and Gmail.

Solution

Yes, you could write a REGEX and block it with an MPF, like I did here, to block Facebook. But Google Talk only runs on 4 servers and uses 4 ports.

1. Connect to the Cisco ASA, and go to configure terminal mode.

PetesASA> PetesASA> en Password: ******** PetesASA# configure terminal PetesASA(config)#

2. Lets keep things neat and name our four Goolge Talkservers.

PetesASA(config)# name 216.239.37.125 Google-Talk-Server-1 PetesASA(config)# name 72.14.253.125 Google-Talk-Server-2 PetesASA(config)# name 72.14.217.189 Google-Talk-Server-3 PetesASA(config)# name 209.85.137.125 Google-Talk-Server-4

3. Then lets create a group for those servers.

PetesASA(config)# object-group network Google-Talk-Servers PetesASA(config-network-object-group)# network-object host 216.239.37.125 PetesASA(config-network-object-group)# network-object host 72.14.253.125 PetesASA(config-network-object-group)# network-object host 72.14.217.189 PetesASA(config-network-object-group)# network-object host 209.85.137.125

4. And then a group for the ports we want to block.

PetesASA(config-network-object-group)# object-group service Google-Talk-Ports tcp PetesASA(config-service-object-group)# port-object eq 5222 PetesASA(config-service-object-group)# port-object eq 5223 PetesASA(config-service-object-group)# port-object eq https PetesASA(config-service-object-group)# port-object eq www

5. To tie it all together we can simply add one ACL.

PetesASA(config-service-object-group)# access-list outbound line 1 deny tcp any object-group Google-Talk-Servers object-group Google-Talk-Ports

Note: This assumes you have an ACL called "outbound" thats applied to your outbound traffic, yours may have a different name, to find out issue a "show run access-group" command like so, your outbound ACL will be allied "in interface inside". If yours is called something different then change the command above accordingly. If you don't have one at all skip to step 6.

PetesASA(config)# show run access-group access-group outbound in interface inside access-group inbound in interface outside PetesASA(config)#

6. Only carry this step out if you DO NOT have an ACL applied to outbound traffic. andAFTER you have carried out step 5.

PetesASA(config)# access-group outbound in interface inside PetesASA(config)# access-list outbound permit ip any any

Deploy Cisco ASA 55xx in Active / Standby Failover

Deploy Cisco ASA 55xx in Active / Standby Failover

Problem

You want to deploy 2 Cisco ASA 55xx Series firewalls in an Active/Standby failover configuration.

Solution

Assumptions. Hardware on both ASA firewalls is identical. The correct licence's for failover are installed on both firewalls. The same software versions are installed on both firewalls. You have your PRIMARY firewall set up and running correctly (Everything works!). In this example the firewalls were ASA5510's and all interfaces were being used, so the Management port was used as the "Failover Link" (That needs a security plus licence!). This Link will use a crossover cable (Only available after version 7.0(2) before that you had to use a switch - I think!). Also I'm using the same link for LAN Based failover (heartbeat) AND Statefull replication. IP Addresses Each interface will need its existing IP address, and an address to use whilst in "Standby". In this example I will use the following, Click For Larger Image Outside Interface (Ethernet 0/0) 123.123.123.123 255.255.255.0 Outside Interface STANDBY 123.123.123.124 255.255.255.0 DMZ1 Interface (Ethernet0/1) 192.168.1.1 255.255.255.0 DMZ1 Interface STANDBY 192.168.1.254 255.255.255.0 DMZ2 Interface (Ethernet0/2) 192.168.2.1 255.255.255.0 DMZ2 Interface STANDBY 192.168.2.254 255.255.255.0 Inside Interface (Ethernet 0/3) 172.16.1.1 255.255.255.0 Inside Interface (STANDBY) 172.16.1.254 255.255.255.0 Failover Interface (Management0/0) 172.16.254.254 255.255.255.0 Failover Interface STANDBY 172.16.254.250 255.255.255.0   Step 1 Carry Out this procedure on the PRIMARY (Already configured and working) firewall.   1. Backup the running config on the primary firewall. PetesASA# copy run flash:/before_failover.cfg Source filename [running-config]? Destination filename [before_failover.cfg]? Cryptochecksum: babed83d 62a5fba7 e5ea368d 642157bd 8549 bytes copied in 3.670 secs (2849 bytes/sec) PetesASA# 2. Blow away the config on the interface you are going to use for failover. PetesASA(config)# clear configure interface m0/0 PetesASA(config)# int m0/0 PetesASA(config-if)# no shut PetesASA(config)# 3. Change the interface IP addresses – (to add the standby addresses for each interface). PetesASA(config)# PetesASA(config)# interface Ethernet0/0 PetesASA(config-if)# speed 100 PetesASA(config-if)# duplex full PetesASA(config-if)# nameif Outside PetesASA(config-if)# security-level 0 PetesASA(config-if)# ip address 123.123.123.123 255.255.255.0 standby 123.123.123.124 PetesASA(config-if)# interface Ethernet0/1 PetesASA(config-if)# speed 100 PetesASA(config-if)# duplex full PetesASA(config-if)# nameif DMZ1 PetesASA(config-if)# security-level 50 PetesASA(config-if)# ip address 192.168.1.1 255.255.255.0 standby 192.168.1.254 PetesASA(config-if)# interface Ethernet0/2 PetesASA(config-if)# speed 100 PetesASA(config-if)# duplex full PetesASA(config-if)# nameif DMZ2 PetesASA(config-if)# security-level 55 PetesASA(config-if)# ip address 192.168.2.1 255.255.255.0 standby 192.168.2.254 PetesASA(config-if)# interface Ethernet0/3 PetesASA(config-if)# speed 100 PetesASA(config-if)# duplex full PetesASA(config-if)# nameif Inside PetesASA(config-if)# security-level 100 PetesASA(config-if)# ip address 172.16.1.1 255.255.255.0 standby 172.16.1.254 PetesASA(config-if)# exit PetesASA(config)# 4. Set up the failover LAN interface (In config mode!). PetesASA(config)# PetesASA(config)# failover lan interface failover m0/0 INFO: Non-failover interface config is cleared on Management0/0 and its sub-interfaces PetesASA(config)# 5. Setup failover link IP address. PetesASA(config)# PetesASA(config)# failover interface ip failover 172.16.254.254 255.255.255.0 standby 172.16.254.250 PetesASA(config)# 6. Setup a shared key. PetesASA(config)# PetesASA(config)# failover lan key 666999 PetesASA(config)# 7. Set it as the primary firewall. PetesASA(config)# PetesASA(config)# failover lan unit primary PetesASA(config)# 8. Turn on failover. PetesASA(config)# PetesASA(config)# failover PetesASA(config)# 9. Now we need to enable statefull failover. PetesASA(config)# PetesASA(config)# failover link failover Management0/0 PetesASA(config)# 10. Save the config. PetesASA(config)# PetesASA(config)# write mem Building configuration... Cryptochecksum: 5c8dfc45 ee6496db 8731d2d5 fa945425 8695 bytes copied in 3.670 secs (2898 bytes/sec) [OK] PetesASA(config)#

Cannot Access / Open ASDM

Cannot Access / Open ASDM

Problem

Out of the box Cisco PIX/ASA devices should have a working ASDM. This config can get broken over time, and also there are a few things that can trip you up on your client machine.

Solution

Make sure the client machine you are using is not the problem 1. The ASDM runs using Java make sure the machine has Java installed. 2. Make sure the internet browser you are using is supported: Operating System Browser Sun Java SE Plug-in1 Internet Explorer Firefox2 Safari Microsoft Windows (English and Japanese): 7 Vista 2008 Server XP 6.0 or later 1.5 or later No support 6.0 Apple Macintosh OS X: 10.6 10.5 10.4 No support 1.5 or later 2.0 or later 6.0 Red Hat Enterprise Linux 5 (GNOME or KDE): Desktop Desktop with Workstation N/A 1.5 or later N/A 6.0 Note: Support for Java 5.0 was removed in ASDM 6.4. Obtain Sun Java updates from java.sun.com. Note: ASDM requires an SSL connection from the browser to the ASA. By default, Firefox does not support base encryption (DES) for SSL and therefore requires the ASA to have a strong encryption (3DES/AES) license. As a workaround, you can enable the security.ssl3.dhe_dss_des_sha setting in Firefox. See http://kb.mozillazine.org/About:config to learn how to change hidden configuration preferences. 3. Make sure you are NOT trying to access the ASDM through a proxy server, this is a common "gotcha"! 4. Can another machine access the ASDM? 5. If the ASDM opens but does not display correctly, then do the following, File > Clear ASDM Cache > File > Clear Internal Log Buffer > File > Refresh ASDM with the running Configuration on the Device. Make sure the ASA is configured correctly, and your PC is "allowed" access 1. Connect to the firewall using either SSH, Telnet, or via the Console Cable. 2. Log into the firewall, go to enable mode > Enter the enable password.

Type help or '?' for a list of available commands. PetesASA> PetesASA> en Password: ******** PetesASA#

3. The ASDM is enabled with the command "http server enabled", to make sure that's there issue a "show run http" command"

PetesASA# show run http http server enable http 10.254.254.0 255.255.255.0 inside http 123.123.123.123 255.255.255.255 outside

Note: if the command is NOT there, you need to issue the following three commands:

PetesASA# configure terminal PetesASA(config)# http server enable PetesASA(config)# write mem Building configuration... Cryptochecksum: 9c4700fe 475d22c4 13442d06 b0317c69 9878 bytes copied in 1.550 secs (9878 bytes/sec) [OK] PetesASA(config)#

Note: If you see a number after the command e.g. "http server enable 2456" then you need to access the ASDM on that port, like so {IP address/Name of ASA}:2456 (This is common if you're port forwarding https but you still want to access the ASDM externally).

4. Assuming that the ASDM has been enabled, the IP address you are accessing from (or the subnet you are on) also needs to be allowed access. You will notice in step 3 above that when you issue the show run http command, it also shows you the addresses that are allowed access, if yours is NOT listed you can add it as follows:

PetesASA# configure terminal PetesASA(config)# http 10.254.254.5 255.255.255.255 inside PetesASA(config)# http 10.254.254.0 255.255.255.0 inside PetesASA(config)# http 123.123.123.123 255.255.255.255 outside PetesASA(config)# write mem Building configuration... Cryptochecksum: 9c4700fe 475d22c4 13442d06 b0317c89 9878 bytes copied in 1.550 secs (9878 bytes/sec) [OK] PetesASA(config)#

5. At this point try and access the ASDM again.

6. The ASA needs to be told what file to use for the ASDM, to make sure its been told issue the following command, (If there is NOT one specified then skip forward to step 7 to see if there is an ASDM image on the firewal)l.

PetesASA# show run asdm asdm image disk0:/asdm-631.bin Note: on a Cisco PIX the results will look like.. PetesPIX# show run asdm asdm image flash:/asdm-501.bin

7. Write down the file that it has been told to use (in the example above asdm-632.bin). Then make sure that file is actually in the firewalls memory with a "show flash" command.

PetesASA# show flash --#-- --length-- -----date/time------ path 142 15943680 May 08 2010 18:10:42 asa831-k8.bin 144 14240396 May 08 2010 18:11:50 asdm-631.bin 3 2048 Jul 21 2009 12:04:26 log 6 2048 Apr 28 2010 15:08:32 crypto_archive 163 393828 Feb 14 2010 12:23:28 crypto_archive/crypto_arch_1.bin 164 393828 Apr 28 2010 15:08:32 crypto_archive/crypto_arch_2.bin 147 9526560 Jul 21 2009 12:04:52 csd_3.4.1108.pkg 148 2048 Jul 21 2009 12:04:54 sdesktop 150 2648712 Jul 21 2009 12:04:54 anyconnect-win-2.3.0254-k9.pkg 127135744 bytes total (29583360 bytes free)

Note: If the file you are looking for is NOT there then (providing you have a valid support agreement with Cisco) download an ASDM image and load it into the firewall see here for instructions. Note: If the file is in the flash memory but was not referenced in step 6 then you can add the reference with the following command (obviously change the filename to match the one that's listed in your flash memory).

PetesASA# configure terminal PetesASA(config)# asdm image disk0:/asdm-631.bin PetesASA(config)# write mem Building configuration... Cryptochecksum: 9c4700fe 475d22c4 13442d06 b0317c89 9878 bytes copied in 1.550 secs (9878 bytes/sec) [OK] PetesASA(config)#

RDP to Multiple Servers with a Cisco PIX/ASA Firewall

RDP to Multiple Servers with a Cisco PIX/ASA Firewall

Problem

You want to connect via "Remote Desktop" to multiple servers behind your firewall. To do this you have three options.

Solution

Option 1 (Use if you have multiple free Public IP addresses) Connect to the firewall, go to enable mode, then go to "Configure Terminal Mode", and create a names entity for each Servers public and Private Address

Petes-ASA> en Password: ********* Petes-ASA# Petes-ASA#configure terminal Petes-ASA(config)# Petes-ASA(config)# name 192.168.1.1 Server1-Internal Petes-ASA(config)# name 192.168.1.2 Server2-Internal Petes-ASA(config)# name 123.123.123.123 Server1-External Petes-ASA(config)# name 123.123.123.124 Server2-External

Now Allow RDP to both of the servers with an Access con troll list and apply that access con troll list to the outside interface (Note if you already have in inbound ACL simply substitute the name "inbound" for yours.

Petes-ASA(config)# access-list inbound extended permit tcp any host Server1-External eq 3389 Petes-ASA(config)# access-list inbound extended permit tcp any host Server2-External eq 3389 Petes-ASA(config)# access-group inbound in interface outside

Option 2 (Uses Port Forwarding and uses a different port for each server). To deploy this option the ASA will accept the connection for each server on a different port, to do this each server must listen on a different port. Connect to the firewall, go to enable mode, then go to "Configure Terminal Mode" then allow each port you are going to use (in this case 3389 and 3390)

Petes-ASA> en Password: ********* Petes-ASA# Petes-ASA#configure terminal Petes-ASA(config)# Petes-ASA(config)# access-list inbound extended permit tcp any interface outside eq 3389 Petes-ASA(config)# access-list inbound extended permit tcp any interface outside eq 3390

Then Port Forward those ports to the correct internal servers.

Petes-ASA(config)# static (inside,outside) tcp interface 3389 192.168.1.1 3389 netmask 255.255.255.255 Petes-ASA(config)# static (inside,outside) tcp interface 3390 192.168.1.2 3390 netmask 255.255.255.255

Option 3 (Uses Port Forwarding and uses a different port for each server). This differs from option 2 because in this example the firewall will translate each incoming port to RDP 3389 and sent it to the correct Server.

Petes-ASA> en Password: ********* Petes-ASA# Petes-ASA#configure terminal Petes-ASA(config)# Petes-ASA(config)# access-list inbound extended permit tcp any interface outside eq 3389 Petes-ASA(config)# access-list inbound extended permit tcp any interface outside eq 3390

Then Port Forward AND TRANSLATE those ports to the correct internal servers.

Petes-ASA(config)# static (inside,outside) tcp interface 3389 192.168.1.1 3389 netmask 255.255.255.255 Petes-ASA(config)# static (inside,outside) tcp interface 3390 192.168.1.2 3389 netmask 255.255.255.255

Cisco PIX / ASA Port Forwarding Using Command Line, ASDM and PDM

Problem

Note: Port forwarding has changed on PIX/ASA devices running OS 8.3 for the new syntax go here. Cisco PIX/ASA Port forwarding (Pre Version 8.3) Port forwarding on Cisco firewall's can be a little difficult to get your head around, to better understand what is going on remember in the "World of Cisco" you need to remember two things..... 1. NAT Means translate Many addresses to FEW Addresses 2. PAT Means translate many addresses to ONE Address. Why is that important you ask? Well most networking types assume NAT is translating one address to many,BUT on a Cisco device this is PAT, and it uses (as the name implies) port numbers to track everything. e.g. the first connection out might be seen on the firewall as 123.123.123.123:1026 and the second connection outbound might be seen as 123.123.123.123:2049 so when the traffic comes back the firewall knows where to send it. Fair enough but what has that got to do with Port Forwarding? Well you can use the exact same system to lock a port to an IP address - so if only one port can go to one IP address then that's going to give you port forwarding :) To make matters more confusing (sorry) you configure PAT in the NAT settings, for this very reason it confuses the hell out of a lot of people and the GUI is not intuitive for configuring Port forwarding (the ADSM is better than the old PDM) but most people prefer to use command line to do port forwarding. Below you will find Option 1 Use Command Line Interface Option 2 Use ASDM (PIX v7 and ASA Only) Option 3 Use PDM (PIX v6 Only)

Solution

Option 1 Use the Command Line to Port Forward (pre version 8.3) 1 Port to 1 IP Address   Warning Notice User Access Verification Password: Type help or '?' for a list of available commands. firewall> 1. First things first, you will need to know what port you want to forward, and where you want to forward it, for this example We will assume I've got a server at 10.254.254.1 and Its a mail server so I want to Forward all TCP Port 25 traffic to it. connect to the Firewall via Console/Telnet or SSH firewall> enable Password: ******** firewall# 2. Enter enable mode, and enter the enable mode password. firewall# configure terminal firewall(config)# 3. Now we need to go to configuration mode. firewall(config)#access-list inbound permit tcp any interface outside eq smtp firewall(config)# 4. Before we can configure port forwarding we need to allow the traffic (this is a firewall after all), to allow traffic you need an access list. firewall(config)#access-group inbound in interface outside firewall(config)# 5. Remember access-lists WONT work if you don't apply them to an interface, so we apply this one to the outside interface with an access-group command firewall(config)#static (inside,outside) tcp interface smtp 10.254.254.1 smtp netmask 255.255.255.255 firewall(config)# 6. Lastly the command that actually does the port forwarding. (static command) firewall(config)# write memory Building configuration... Cryptochecksum: aab5e5a2 c707770d f7350728 d9ac34de [OK] firewall(config)# 7. Don't forget to save your hard work. (write memory)   Option 2 Use the ASDM (PIX V7 and ASA5500) 1 Port to 1 IP Address   1. As above you will need to know the port and the IP to forward it to, Launch the ASDM, Select Configuration > Security Policy > Then either Rule Add, or right click the incoming rules and select "Add Access Rule" 2. Interface = Outside > Direction = Incoming > Action = Permit > Source = Any > Destination, Type = Interface IP, Interface = Outside > Protocol = TCP > Destination Port Source = smtp > OK > Apply. 3. Back at the main screen select Configuration > NAT > Add, or Right Click an Existing mapping and click "Add Static NAT Rule" 4. Real Address Interface = Inside > IP Address = 10.254.254.1 > Netmask = 255.255.255.255 > Static Translation Interface = outside > IP Address = (Interface IP) > Tick "Enable Port Translation (PAT) > Protocol = TCP > Original Port = smtp > Translated Port =smtp > OK > Apply. 5. File > "Save Running Configuration to Flash." . Option 3 Use the PIX Device Manager (PIX Version 6 Only) 1 Port to 1 IP Address   1. As above you will need to know the port and the IP to forward it to, Launch the PIX Device manager, Select Configuration > Access Rules > Then either click "Rule"s > Add or Right click an incoming rule and select > "Insert Before" or "Insert After". 2. Under the "Action" select "Permit", Under Source Host/Network Select "Outside", and all the zeros, Under Destination Host/Network Select "Inside" and all the zeros then set the "Destination Port" to smtp > OK > Apply. 3, Now select the "Translation Rules" tab, Rules Add or Right click a rule and select "Insert before" or "Insert After". 4. In this example I've set it to forward all TCP Port 25 traffic to 10.254.254.10 (NOTE: I've blurred out the public IP Address you will need to add this also. > OK > Apply. 5. Finally save your work > File > "Save Running Configuration to Flash." > Exit.   Cisco PIX/ASA Port forwarding (Post Version 8.3)   Note: Port forwarding has changed on PIX/ASA devices running OS 8.3 and above,in regards to port forwarding. There is no longer a global command, for a full rundown of the changes click here. If you issue a global command after version 8.3 you will see this error, ERROR: This syntax of nat command has been deprecated. Please refer to "help nat" command for more details. From Command Line Warning Notice User Access Verification Password: Type help or '?' for a list of available commands. PetesASA> 1. First things first, you will need to know what port you want to forward, and where you want to forward it, for this example We will assume I've got a server at 10.254.254.5 and Its a mail server so I want to Forward all TCP Port 80 traffic (HTTP) to it. connect to the Firewall via Console/Telnet or SSH PetesASA> enable Password: ******** PetesASA# 2. Enter enable mode, and enter the enable mode password. PetesASA# configure terminal PetesASA(config)# 3. Now we need to go to configuration mode. PetesASA# configure terminal PetesASA(config)# object network Internal_Web_Server PetesASA(config-network-object)# host 10.254.254.5 4. Create an object for the web server that the traffic is going to be forwarded to. PetesASA(config-network-object)# nat (inside,outside) static interface service tcp http http PetesASA(config-network-object)# exit 5. Then create a NAT translation for the port to be forwarded. then you can exit the network object prompt. PetesASA(config)# access-list inbound permit tcp any object Internal_Web_Server eq http 6. Now you need to allow the http traffic in PetesASA(config)# access-group inbound in interface outside PetesASA(config)# 7. Remember access-lists WONT work if you don't apply them to an interface, so we apply this one to the outside interface with an access-group command PetesASA(config)# write memory Building configuration... Cryptochecksum: aab5e5a2 c707770d f7350728 d9ac34de [OK] PetesASA(config)# 8. Don't forget to save your hard work. (write memory)

Backup and Restore a Cisco Firewall.

Problem

There are many different versions of PIX and ASA Firewall's, if you want to get a backup of the configuration and save it elsewhere - so in the event of a failure, (or more likely someone tinkering and breaking the firewall). you will be able to recall and restore that configuration. By far the easiest is to use a TFTP server - and it works on ALL versions, so learn it once and use it many times. Note: Some people flatly refuse to use command line, if that's you, you can also backup and restore from the ASDM click here. OK for starters you need to get a TFTP server - while this sounds very grand, its a little piece of software that will run on just about any windows PC, I use an application called 3CDeamon and I've put information on how to get it and how to set it up (about 5 min's work) HERE. So I'll assume you have the TFTP server installed and running and you know what IP address the machine that's running it, is using. NOTE: TFTP uses TCP Port 69 if you have firewall's in between the one you are working on, and the TFTPserver then this port needs to be open.

Solution

Backup 1. Connect to the firewall via Telnet, Console Cable or SSH, then go to enable mode, type in the enable password. ciscoasa> en Password:********* ciscoasa# 2. To back up the firewall you need to specify the IP address of where you want to send it(i.e. the TFTP server), what you want to call the backup, and you tie them together with a "Write Net" command. The syntax is, write net {ip address}:{filename}  ciscoasa# write net 172.254.1.2:firewall_backup Building configuration... INFO: Default tftp-server not set, using highest security interface Cryptochecksum: 85c211cb 3099b392 9e7206e6 e1548bcd ! [OK] ciscoasa# 3. On your TFTP server you will see that a file has been received. 4. If you look in the TFTP server root directory you will find the file, though it has no file extension you can open it and view it using a text editor like notepad or wordpad, just remember NOT to save it with a txt or rtf extension when you close it again. Keep it safe you will need it if you ever want to restore. Restore 1. To restore you must have already backed up the firewall earlier and have that backup in the TFTP servers root directory. 2. Connect to the firewall via Telnet, Console Cable or SSH, then go to enable mode, type in the enable password. ciscoasa> en Password:********* ciscoasa# 3. Enter configuration mode using the "conf t" command. ciscoasa# conf t ciscoasa(config)# 4. Unlike when you backed up the firewall to restore the configuration you use the copy tftp start command. ciscoasa(config)# copy tftp start 5. Supply it with the IP address of your TFTP Server. Address or name of remote host []? 172.254.1.2 6. Supply it with the name of the file you backed up earlier. Source filename []? firewall_backup 7. The file will get copied over. Accessing tftp://172.254.1.2/firewall_backup...! Writing system file... ! 2974 bytes copied in 0.90 secs ciscoasa(config)# 8. On your TFTP server you will see the file being "copied out" 9. Not finished yet, the file now lives in the "Startup" configuration so its not been loaded from memory yet, the best way to do this is to reboot the firewall. To do this issue the reload command, and confirm by pressing enter. ciscoasa(config)# reload Proceed with reload? [confirm] ciscoasa(config)# *** *** --- START GRACEFUL SHUTDOWN --- Shutting down isakmp Shutting down webvpn Shutting down File system *** *** --- SHUTDOWN NOW --- 10. After the reboot, you will be running on the restored configuration.   Note: With a Version 6 Firewall - restoring a config from TFTP simply "Merges" the new one with the config on the firewall, in most cases this is NOT what you want, to get round this place the following command at the top of the config you are restoring clear config all Backup a Cisco 5500 firewall from the ASDM 1. Connect to the firewall via ASDM, then Tools > Backup Configuration. 2. Browse Local. 3. Find somewhere to put the backup that you will be able to locate. 4. In this instance Ill "Backup All" > Backup. 5. Let it do its own thing > Close. 6. Take a quick look at the report > OK. Restore a Cisco 5500 firewall from the ASDM 1. Connect to the firewall via ASDM, then Tools > Restore Configuration. 8. Browse Local. 9. Locate your backup and select it. 10. Next. 11. In this instance I'm just going to restore the Start-up-configuration (Note: that means I will need to reboot the firewall when restored, before the restored config takes effect) > Restore. 12. You will be asked if you want to merge or replace the config. (Note: merge is handy if there's been a couple of config changes) > I'm going to replace it. 13. Let it restore the files, then restart ASDM.

ICMP PING CMD IN FIREWALL & ASDM

Cisco Firewalls and PING(Note: Tracert uses Ping protocols and the firewall treats ping and tracert the same)

Problem

With regards to Ping, out of the box a Cisco firewall will allow you to ping the interface you are connected to, so in a normal setup inside clients can ping the inside interface, and the firewalls outside interface can be pinged from outside. OK – to understand pinging through a Cisco Firewall you need to understand that Ping is part of the ICMP protocol suite, and unlike other protocols is not “connection orientated” what that means is, (on a new firewall that has no rules applied outbound) the firewall happily lets ping traffic out but it won’t let ping traffic back in – this results in a failure on the client.

Solution

Cisco ASA and Cisco PIX (version 7 and above) From CLI Version 7 introduced an ICMP inspection engine so that it could track ICMP requests like other protocols. It’s NOT turned on by default. And the command is “inspect icmp” but you need to enter the default map first (this assumes you have the standard policy-map).Connect to the firewall and use the following commands from config terminal mode. then save the changes with a "write mem" command.

PetesASA> PetesASA> en Password: ******** PetesASA# conf t PetesASA(config)# policy-map global_policy PetesASA(config)# (config-pmap)# class inspection_default PetesASA(config)# inspect icmp PetesASA(config)# write mem Building configuration... Cryptochecksum: 5c8dfc45 ee6496db 8731d2d5 fa945425 8695 bytes copied in 3.670 secs (2898 bytes/sec) [OK] PetesASA(config)#

Cisco ASA and Cisco PIX (version 7 and above) From ASDM Connect to the ASDM > Configuration > Firewall > Service Policy Rules > Select "inspection_default" > Edit > Rule Actions > Tick ICMP > OK > Apply > File > Save running configuration to flash.

Cisco PIX (version 6 and below) From CLI Older firewall do not have an inspection map, nor was there a "fixup" for ICMP and ping traffic, so you need to explicitly allow the return icmp traffic back in. Note: this assumes you already have an inbound access-list called "inbound", and we are adding some more lines to it, change the works inbound to match the name/number of your inbound access list (the "show access-group" will tell you what is applied to the outside interface) e.g.

PetesASA> PetesASA> en Password: ******** PetesASA# show access-groupaccess-group inbound in interface outside <<This ones called inbound.

If you already have an access-list applied then simply substitute the name word "inbound" for the name on your ACL.

PetesASA# conf t PetesASA(config)# access-list inbound permit icmp any any echo-reply  PetesASA(config)# access-list inbound permit icmp any any time-exceeded  PetesASA(config)# access-list inbound permit icmp any any unreachable PetesASA(config)# access-list inbound permit icmp any any source-quench

If you HAD an inbound ACL skip this step, If you didn't have one you need to apply the ACL with an access-group command.

PetesASA(config)# access-group inbound in interface outside

Lastly save your work with a write mem command.

PetesASA# write mem Building configuration... Cryptochecksum: 4d7f7ccd 5c55a9e1 6ced12c4 46728bc7 [OK] PetesASA#

Cisco PIX (version 6 and below) From PDM Connect to the PDM > Configuration > Access Rules > Rules > Add > Permit > Outside Inside > Tick ICMP > Select "echo-reply"> OK > Apply > File > Save running configuration to flash. Then repeat for time-exceeded, unreachable and source-quench

Stop Interfaces replying to Ping traffic As stated above all firewall interfaces will respond to pings if they are on the network you are connected to. To stop this you use the "icmp" command. Do the same from ASDM Connect to the ASDM > Configuration > Device Management > Management Access > ICMP > Add > Select ICMP type > Interface > Action > OK > Apply > File > Save running configuration to flash. Do the same from PDM Connect to the PDM > Configuration > system Properties > Administration > ICMP > Add > > Specify the Type, Interface, Source etc > OK > Apply > File > Save running configuration to flash.