9/10/2014

How To Get Cisco ASA Up and Running in a Few simple STEPS:

It's quite simple to get the Cisco ASA up and running to protect and secure your inside network in a few simple steps.
You'll need to config the:
  1.  inside/outside interface,
  2.  nat, 
  3. assign outside nat IP, 
  4. default route, 
  5. inside route, and you're done.
Here are the steps:

Step 1. 
ASA(config)#
interface Ethernet0/0
 description ***This is the interface going to your INTERNAL INSIDE NETWORK***
 nameif INSIDE
 security-level 100
 ip address 192.168.10.1 255.255.255.0 standby 192.168.100.2  --standby is OPTIONAL IF you have dual ASA, else NO need.


interface Ethernet0/1
 description ***This is the interface going to your ISP facing router***
 nameif OUTSIDE
 security-level 0
 ip address YOURPUBLIC-IP-FROM-ISP 255.255.255.224 standby PUBLIC-IP2-FROM-ISP  ---standby is OPTIONAL IF you have dual ASA, else NO need.

STEP 2:
ASA(config)#
nat (INSIDE) 1 0.0.0.0 0.0.0.0  -- This will NAT all SUBNETS in your internal network. to a public IP address, to you can access the internet.


STEP 3:
ASA(config)#
global (OUTSIDE) 1 8.4.4.9 netmask 255.255.255.0  --This will NAT id 1 in your internal network to a public IP address (in this case 8.4.4.9), so you can access the internet.

STEP 4:
Secure your network from Ping SCANS.
Create an access-list to ping out, but outside folks can not ping in.  This will put your network in "STEALTH MODE" basically.

ASA(config)#
access-list INBOUND_ACL extended permit icmp any any echo-reply
access-list INBOUND_ACL extended permit icmp any any source-quench
access-list INBOUND_ACL extended permit icmp any any unreachable
access-list INBOUND_ACL extended permit icmp any any time-exceeded



STEP 5:
Apply the access-list to the OUTSIDE interface:
ASA(config)#
access-group INBOUND_ACL in interface OUTSIDE

STEP 6:
Create a static default route for your ASA to reach to the Internet:
ASA(config)#
route OUTSIDE 0.0.0.0 0.0.0.0 8.4.4.254 1 -- enter your default route for your ASA to your ISP router for next hop.

STEP 7:

Create a static route for the ASA to reach internal network:
ASA(config)#
route INSIDE 192.168.10.0 255.255.255.0 192.168.10.1 1  -- Put a route in the routing table to tell the ASA how to get to the inside network. 

route INSIDE 192.168.11.0 255.255.255.0 192.168.10.1 1  -- You can add more subnets if you have more different INSIDE networks.

done.
Let me know if this helps.
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)