ASA/PIX Basic Configuration I
November 25th, 2009 in Security | tags: ,

It’s been a while since I wrote posts on this website, the reason for this was that a lot of things happened to me which kept me from writing posts more often. From now on I will try my best to put some posts up here once in a while again. I’ll start up with some simple Firewall post, hope you appreciate it. Oh yeah for I forget, please click on my google-ads once in a while to keep this site going.
In this lab I am going to show a basic configuration for the network in the picture below.

Basic ASA Firewall

As you can see the network has an outside, dmz and an inside which has two networks. The security-levels will be 100 on the inside, 50 for DMZ and 0 for outside. When configured like this only traffic from high to low will be permitted. So in this case traffic from inside to DMZ, inside to outside and from DMZ to outside will be possible.

Firewall :


Firewall(config)# interface ethernet0/0
Firewall(config-if)# nameif outside
Firewall(config-if)# security-level 0
Firewall(config-if)# ip address 99.99.99.1 255.255.255.0
Firewall(config-if)# no shutdown
Firewall(config-if)# exit
Firewall(config)# interface ethernet0/1
Firewall(config-if)# nameif inside
Firewall(config-if)# security-level 100
Firewall(config-if)# ip address 10.1.1.1 255.255.255.252
Firewall(config-if)# no shutdown
Firewall(config-if)# exit
Firewall(config)# interface ethernet0/2
Firewall(config-if)# nameif dmz
Firewall(config-if)# security-level 50
Firewall(config-if)# ip address 172.26.1.1 255.255.255.0
Firewall(config-if)# no shutdown

As you can see there are two inside networks. The firewall should know where to find these networks, this can be done like below :


Firewall(config)# route inside 10.10.2.0 255.255.255.0 10.1.1.2
Firewall(config)# route inside 10.10.3.0 255.255.255.0 10.1.1.2

Next we want to make it possible for the inside users and the DMZ users(for now) to go to the internet, for this we will have to put PAT in place. This way the ASA will use its outside ip-address as a PAT address pool. So all inside users going out onto the internet will use the ip-address 99.99.99.1 in this case


Firewall(config)# nat-control
Firewall(config)# nat (inside) 1 0.0.0.0 0.0.0.0
Firewall(config)# nat (dmz) 1 0.0.0.0 0.0.0.0
Firewall(config)# global (outside) 1 interface

In the next post we will configure some basic ACL’s, NAT and Statics.

Leave a comment

Your comment