Cisco ASA Firewall Lab WorkBook

©2016 RHC Technologies
R H C
TECHNOLOGIES
#LIKE #FOLLOW #WATCH
Cisco ASA Firewall
LAB WORKBOOK

Prepared By
Sai Linn Thu

R H C
TECHNOLOGIES
Security Policy
( Allow / Deny )

R H C
TECHNOLOGIES
Security Policy
( Allow / Deny )
Employee
E-‐mail
Finance
(
$
)
Internet

Employee
Deny
Permit
Deny
Permit

Execu9ve
Deny
Deny
Permit
Permit

BYOD
Deny
Permit
Deny
Permit

Guest
Permit
Deny
Deny
Permit

Source
Destination

R H C
TECHNOLOGIES
{lowest 0} > Security Level < {highest 100}
Internet
outside ( 0 )
inside ( 100 )
dmz ( 50 )

R H C
TECHNOLOGIES
{lowest 0} > Security Level < {highest 100}
Internet
outside ( 0 )
inside ( 100 )
dmz zone 1 ( 50 )
dmz zone 2 ( 60 )
dmz zone 3 ( 70 )

R H C
TECHNOLOGIES
Incoming traffic / Outgoing traffic
Internet
outside ( 0 )
inside ( 100 )
dmz ( 50 )
Incoming traffic
( Low – to – High )
Outgoing traffic
( High – to – Low )
(Block, Explicitly Allow)
(Allow, but Inspected)

R H C
TECHNOLOGIES
Internet
outside ( 0 )
inside ( 100 )
dmz ( 50 )
150.1.1.0/24
10.1.1.0/24
192.168.1.0/24
Facebook : 173.252.74.68/32
Youtube : 172.217.25.174/32
192.168.5.5/24
10.10.10.10/24
ASA

int g0
nameif inside
security-level 100
ip add 10.1.1.100 255.255.255.0
int g1
nameif outside
security-level 0
ip add 150.1.1.100 255.255.255.0
!
int g2
nameif dmz
security-level 50
ip add 192.168.1.100 255.255.255.0
!
#show int ip brief
LAB

Verify ping test on ASA !
R H C
TECHNOLOGIES
ASA
ASA#ping 173.252.74.68
ASA#ping 10.10.10.10
ASA#ping 192.168.5.5
SUCCESS [or] FAIL ?

R H C
TECHNOLOGIES
Internet
outside ( 0 )
inside ( 100 )
dmz ( 50 )
150.1.1.0/24
10.1.1.0/24
192.168.1.0/24
Facebook : 173.252.74.68/32
Youtube : 172.217.25.174/32
192.168.5.5/24
10.10.10.10/24
ASA

route outside 0 0 150.1.1.1
route inside 10.10.10.0 255.255.255.0 10.1.1.1
route dmz 192.168.5.0 255.255.255.0 192.168.1.1
#show route

Conﬁgure default routes from LAN , DMZ and INTERNET !
R H C
TECHNOLOGIES
LAN#ip route 0.0.0.0 0.0.0.0 10.1.1.100
DMZ#ip route 0.0.0.0 0.0.0.0 192.168.1.100
INTERNET#ip route 0.0.0.0 0.0.0.0 150.1.1.100

Verify ping test from LAN to INTERNET !
R H C
TECHNOLOGIES
LAN
LAN#ping 173.252.74.68
LAN#ping 173.252.74.68 source lo0
SUCCESS [or] FAIL ?
Outbound trafﬁc : Low > High is OK ( inspected )
Inbound trafﬁc : High > Low is DROP ( require ACL )

Conﬁgure vty password & enable password on LAN , DMZ and INTERNET !
R H C
TECHNOLOGIES
LAN
line vty 0 4
password testlan
!
enable password testlan
!
DMZ
line vty 0 4
password testdmz
!
enable password testdmz
!
INTERNET
line vty 0 4
password testout
!
enable password testout
!

Verify telnet test from LAN < > INTERNET // LAN < > DMZ // DMZ < > INTERNET
R H C
TECHNOLOGIES
LAN
LAN#telnet 173.252.74.68
LAN#telnet 173.252.74.68 /source-interface lo0
Please also test LAN < > DMZ // DMZ < > INTERNET.
SUCCESS [or] FAIL ?
INTERNET
INTERNET#telnet 10.10.10.10
INTERNET#telnet 10.10.10.10 /source-interface lo0

Conﬁgure ACL to allow telnet trafﬁc from INTERNET to LAN!
R H C
TECHNOLOGIES
ASA
access-list INTERNET_LAN permit tcp any any eq telnet
!
access-group INTERNET_LAN in interface outside
!
INTERNET
Verify telnet test from INTERNET to LAN
SUCCESS [or] FAIL ?

Conﬁgure ACL to allow telnet trafﬁc from DMZ to LAN!
R H C
TECHNOLOGIES
ASA
access-list DMZ_LAN permit tcp any any eq telnet
!
access-group DMZ_LAN in interface dmz
!
DMZ
DMZ#telnet 10.10.10.10
DMZ#telnet 10.10.10.10 /source-interface lo0
Verify telnet test from DMZ to LAN
SUCCESS [or] FAIL ?

Verify telnet test from INTERNET to DMZ !
R H C
TECHNOLOGIES
INTERNET
Why SUCCESS ?
Because of the below conﬁg we conﬁgured in the previous step.
ASA
access-list INTERNET_LAN permit tcp any any eq telnet
!
!

Delete the below conﬁg
R H C
TECHNOLOGIES
ASA
NO access-list INTERNET_LAN permit tcp any any eq telnet
!
NO access-group INTERNET_LAN in interface outside
!
After deleting the conﬁg,
We cannot be able to TELNET from INTERNET to LAN, and also from INTERNET to DMZ.
But we still can be able to telnet from DMZ to LAN.

Conﬁgure the policy as below :
1)  ONLY Allow TELNET from 173.252.74.68 to LAN.
2)  ONLY Allow TELNET from 172.217.25.174 to DMZ.
R H C
TECHNOLOGIES
ASA
access-list INTERNET_LAN permit tcp host 173.252.74.68 10.10.10.0 255.255.255.0 eq telnet
!
access-list INTERNET_LAN permit tcp host 172.217.25.174 192.168.5.0 255.255.255.0 eq telnet
!
!

©2016 RHC Technologies #LIKE #FOLLOW #WATCH
R H C
TECHNOLOGIES
Verify telnet test from INTERNET to LAN !
INTERNET
INTERNET#telnet 10.10.10.10 > {success/fail}
INTERNET#telnet 10.10.10.10 /source-interface lo0 > {success/fail}
Verify telnet test from INTERNET to DMZ !
INTERNET
INTERNET#telnet 192.168.5.5 > {success/fail}

1)  Allow ping ( ICMP ) from LAN to DMZ.
2)  Allow ping ( ICMP ) from LAN to INTERNET.
R H C
TECHNOLOGIES
ASA
access-list INTERNET_LAN permit icmp any any echo-reply
!
access-list DMZ_LAN permit icmp any any echo-reply
!
!

Verify ping test from LAN to INTERNET & DMZ !
R H C
TECHNOLOGIES
LAN
SUCCESS [or] FAIL ?
Outbound traffic : Low > High is OK ( inspected )
Inbound traffic : High > Low is OK ( required ACL is configured )

1)  Allow ping ( ICMP ) from INTERNET to LAN.
2)  Allow ping ( ICMP ) from DMZ to LAN.
R H C
TECHNOLOGIES
ASA
access-list INTERNET_LAN permit icmp any any echo
access-list INTERNET_LAN permit icmp any any echo-reply
!
!
access-list DMZ_LAN permit icmp any any echo
access-list DMZ_LAN permit icmp any any echo-reply
!

Verify ping test from INTERNET to LAN & DMZ to LAN!
R H C
TECHNOLOGIES
ping test
INTERNET#ping 10.10.10.10 source lo0
DMZ#ping 10.10.10.10 source lo0
DMZ#ping 10.10.10.10 source lo1
SUCCESS {or} FAIL ?

R H C
TECHNOLOGIES
Internet
outside ( 0 )
inside ( 100 )
dmz ( 50 )
150.1.1.0/24
10.1.1.0/24
192.168.1.0/24
Facebook : 173.252.74.68/32
Youtube : 172.217.25.174/32
Google DNS : 8.8.8.8/32 , 8.8.4.4/32
192.168.5.5/24
10.10.10.10/24
ASA

int g0
nameif inside
security-level 100
ip add 10.1.1.100 255.255.255.0
int g1
nameif outside
security-level 0
ip add 150.1.1.100 255.255.255.0
!
int g2
nameif dmz
security-level 50
ip add 192.168.1.100 255.255.255.0
!
#show int ip brief
LAB

R H C
TECHNOLOGIES
Internet
outside ( 0 )
inside ( 100 )
dmz ( 50 )
150.1.1.0/24
10.1.1.0/24
192.168.1.0/24
Facebook : 173.252.74.68/32
Youtube : 172.217.25.174/32
Google DNS : 8.8.8.8/32 , 8.8.4.4/32
192.168.5.5/24
10.10.10.10/24
ASA

route outside 0 0 150.1.1.1
route inside 10.10.10.0 255.255.255.0 10.1.1.1
route inside 11.11.11.0 255.255.255.0 10.1.1.1
route inside 12.12.12.0 255.255.255.0 10.1.1.1
route dmz 192.168.5.0 255.255.255.0 192.168.1.1
#show route

Conﬁgure the policy using object-group as below :
R H C
TECHNOLOGIES
ASA
object-group network GoogleDNS
network-object host 8.8.8.8
network-object host 8.8.4.4
!
object-group network LAN
network-object 10.10.10.0 255.255.255.0
network-object 11.11.11.0 255.255.255.0
network-object 12.12.12.0 255.255.255.0
!
object-group service PING
service-object icmp echo
service-object icmp echo-reply
!
access-list INTERNET_LAN permit object-group PING object-group GoogleDNS object-group LAN
!

Verify ping test from INTERNET to LAN!
R H C
TECHNOLOGIES
ping test

R H C
TECHNOLOGIES
Internet
outside ( 0 )
inside ( 100 )
dmz ( 50 )
150.1.1.0/24
10.1.1.0/24
192.168.1.0/24
Facebook : 173.252.74.68/32
Youtube : 172.217.25.174/32
Google DNS : 8.8.8.8/32 , 8.8.4.4/32
192.168.5.5/24
150.1.1.5/32
10.10.10.10/24
ASA

Object network DMZ-Private
host 192.168.5.5
!
Object network DMZ-Public
host 150.1.1.5
!
nat(dmz,outside) source static DMZ-Private DMZ-Public
!
Access-list INTERNET_LAN permit tcp any any eq telnet
LAB
DMZ
line vty 0 4
password testdmz
!
enable password testdmz
!

Verify telnet from INTERNET to DMZ Public IP!
R H C
TECHNOLOGIES
ping test

Cisco ASA Firewall Lab WorkBook

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (10)

Similar to Cisco ASA Firewall Lab WorkBook

Similar to Cisco ASA Firewall Lab WorkBook (20)

Recently uploaded

Recently uploaded (20)

Cisco ASA Firewall Lab WorkBook