Scribd Logo
Fazer o upload

Bem-vindo(a) ao Scribd!

  • Cisco ASA - Commands For... L, and ACLs Movement3

    Enviado por

    Hamdi Kadri
    34 visualizações4 páginas
    Cisco ASA – Commands

    Título original

    Cisco ASA – Commands for...l, and ACLs « movement3

    Direitos autorais

    © Attribution Non-Commercial (BY-NC)

    Formatos disponíveis

    PDF, TXT ou leia online no Scribd

    Você considera este documento útil?

    Este conteúdo é inapropriado?

    Denunciar este documento
    Cisco ASA – Commands

    Direitos autorais:

    Attribution Non-Commercial (BY-NC)
    Baixe no formato PDF, TXT ou leia online no Scribd
    Sinalizar o conteúdo como inadequado
    34 visualizações4 páginas

    Cisco ASA - Commands For... L, and ACLs Movement3

    Enviado por

    Hamdi Kadri
    Cisco ASA – Commands

    Direitos autorais:

    Attribution Non-Commercial (BY-NC)
    Baixe no formato PDF, TXT ou leia online no Scribd
    Sinalizar o conteúdo como inadequado
    de 4

    movement3

    cat thoughts > /dev/null Home About

    Type text to search here...

    Home > Networking > Cisco ASA Commands for NAT, Static, Global, and ACLs

    Cisco ASA Commands for NAT, Static, Global, and ACLs


    March 31, 2011 movement3 Cisco ASA security levels: 0 is the Internet 50 is the DMZ 100 is the Inside Traffic from higher level is allowed to flow to lower security levels. Traffic from lower to higher is not allowed. NAT (inside) 1 192.168.1.0 255.255.255.0. Global (outside) 1 2.2.2.2 or global (outside) 1 interface The 1 is the NAT ID, it will be associated with the global ID. The 0 NAT ID is used to prevent a group of addresses from being translated.

    Example 1
    Creating an Internet Only DMZ and needing to access a IP address on the DMZ to the inside. This might be handy if you have an Internet only guest VLAN but allow your visitors to connect to printers on your Internal network. Step 1 To allow the DMZ to contact the inside, you will need to configure an ACL. access-list DMZ11 extended permit tcp host 10.3.0.20 10.115.2.0 255.255.255.0 access-list DMZ11 extended permit tcp host 10.3.0.20 10.4.144.0 255.255.255.0 access-list DMZ11 extended permit tcp host 10.3.0.20 10.0.104.0 255.255.255.0 access-list DMZ11 extended deny ip 10.3.0.0 255.255.255.0 10.0.0.0 255.255.255.0 access-list DMZ11 extended permit ip 10.3.0.0 255.255.255.0 any access-group DMZ11 in interface DMZ11 The above ACL will allow 10.3.0.20 to reach certain subnets on the 10.0.0.0/8 subnet. It will deny 10.3.0.0/24 any other access to the 10.0.0.0/8 subnet. Then it will allow 10.3.0.0/24 to access any other IP address (out to the Internet). Step 2 In additional to the ACL, you need to create a NAT statement so 10.0.0.0/8 will not get translated when it tries to access 10.3.0.20. access-list nonatdmz extended permit ip 10.3.0.0 255.255.255.0 10.0.0.0 255.0.0.0 nat (DMZ11) 0 access-list nonatdmz This ACL with the included NAT statement will prevent translation on 10.0.0.0/8 to 10.3.0.0/24. The the DMZ11 ACL is used in tandem to permit or deny access. With the NAT statement, pings from the DMZ will not reach 10.0.0.0/8 even if the ACL is allowing access. To allow DMZ to ping 10.0.0.0/8, you will need a static statement. Static (inside, dmz) 10.3.0.0 10.3.0.0 netmask 255.255.255.0 Static commands are used for traffic flows from lower to higher Outside > DMZ > Inside NAT commands are used for traffic flows from higher to lower Inside > DMZ > Outside

    Example 2
    Allowing a web server on the DMZ access to the Internet and certain servers on the inside Step 1 Create the ACL allowing the DMZ host access to the inside

    access-list DMZ extended permit tcp host 10.3.0.20 host 10.0.44.232 eq www access-list DMZ extended permit tcp host 10.3.0.20 host 10.0.44.233 eq www access-group DMZ in interface DMZ Step 2 Allowing the Internet access to the DMZ web server access-list enter extended permit tcp any host 1.1.1.1 eq www access-group enter in interface outside Step 3 Creating the Static command for traffic flow from lower to higher Outside > DMZ static (DMZ,outside) 1.1.1.1 10.3.0.20 netmask 255.255.255.255 If you notice the last two lines in the DMZ11 ACL, there is a deny statement, then permit statement. This is needed due the implicit deny statement. The other guest machines are on the DMZ and need access to the Internet. This DMZ segment is different than an Internet Only DMZ, where only a few known servers live on this DMZ. The static statement allows the server access to the outside interface. Step 4 Creating the NAT command for traffic flow from higher to lower (aka do not NAT this traffic) access-list nonat extended permit ip 10.0.44.0 255.255.255.0 10.0.44.0 255.255.255.0 nat (inside) 0 access-list nonat Updated: 06/22/2011 Here is an example where our MPLS router was down and I needed to gain SSH access. I opened a NAT translation from the ASA to the MPLS router and removed it as soon I finished entering my commands. access-list outside extended permit ip any host 1.1.1.2 static (inside,outside) 1.1.1.2 10.44.4.1 netmask 255.255.255.255 access-group outside in interface outside To allow only SSH, try the ACL below, I did not test it though, but should work. access-list outside extended permit tcp any host 1.1.1.2 eq ssh To remove access no access-list outside extended permit ip any host 1.1.1.2 no static (inside,outside) 1.1.1.2 10.44.4.1 netmask 255.255.255.255 no access-group outside in interface outside http://www.streetdirectory.com/travel_guide/115482/security/eight_base_commands_of_cisco_asa_security_appliance.html http://www.alfredtong.com/cisco/security-cisco/demystifying-asapix-nat-0-vs-static/ Google search: Traffic between DMZ and Internal on Cisco ASA 5520 (Experts Exchange link) Google search: Cisco ASA-5505 DMZ to Inside Network access and Outside to DMZ access (Experts Exchange link)
    Be the first to like this.

    Categories: Networking Basic BGP config Configure Wireless with SSL certs and Windows auth RSS feed

    Recent Posts
    Configuring MAC address filtering with WLC via Cisco ACS 4.2 Cisco 3750 switch with a failing ASIC chipset Cisco bug(?) verify command on 3750 switch Running a basic BIND DNS Server Cisco ASA Static command to create a translation Converting Putty SSH keys to SecureCRT keys

    Using Cisco ACS to limit commands (Shell Command Authorization Sets) Cisco Netflow notes Connecting a switch to a Nexus 2000 Cisco Nexus and vrf for vPC keepalives

    Categories
    Database Linux Misc Networking OSX Scripting Windows Windows-ism

    Blogroll
    Blog at WordPress.com. Blog at WordPress.com.

    Archives
    June 2012 May 2012 April 2012 March 2012 February 2012 January 2012 December 2011 November 2011 August 2011 June 2011 May 2011 April 2011 March 2011 February 2011 January 2011 December 2010 November 2010 October 2010 September 2010 June 2010 May 2010 April 2010 March 2010 February 2010 January 2010 December 2009 November 2009 September 2009 August 2009 July 2009 June 2009 May 2009 April 2009 March 2009 February 2009 January 2009 December 2008 November 2008 October 2008 September 2008 July 2008 June 2008 May 2008 April 2008 March 2008 February 2008 January 2008

    December 2007 November 2007 October 2007 September 2007 August 2007 July 2007 June 2007 May 2007 April 2007 January 2007 September 2006 June 2006 May 2006 April 2006 March 2006 February 2006 January 2006 December 2005 November 2005 October 2005 September 2005 August 2005 July 2005 June 2005 May 2005 April 2005 March 2005

    Meta
    Register Log in Top WordPress Blog at WordPress.com. Theme: INove by NeoEase.

    Você também pode gostar