R H C

TECHNOLOGIES

Cisco ASA Firewall

LAB WORKBOOK

Prepared By
Sai Linn Thu

2016 RHC Technologies #LIKE #FOLLOW #WATCH

 R H C
TECHNOLOGIES

Security Policy
( Allow / Deny )

2016 RHC Technologies #LIKE #FOLLOW #WATCH

 R H C
TECHNOLOGIES

Security Policy
( Allow / Deny )

Destination
Source Employee E-mail Finance ( $ ) Internet
Employee Deny Permit Deny Permit
Execu9ve Deny Deny Permit Permit
BYOD Deny Permit Deny Permit
Guest Permit Deny Deny Permit

2016 RHC Technologies #LIKE #FOLLOW #WATCH

 R H C
TECHNOLOGIES

{lowest 0} > Security Level < {highest 100}

Internet

outside ( 0 )

dmz ( 50 )

inside ( 100 )

2016 RHC Technologies #LIKE #FOLLOW #WATCH

 R H C
TECHNOLOGIES

{lowest 0} > Security Level < {highest 100}

Internet

dmz
zo n outside ( 0 )
e1
( 50
)
dmz zone 2 ( 60 )
0 )
( 7
3
zone inside ( 100 )
z
dm

2016 RHC Technologies #LIKE #FOLLOW #WATCH

 R H C
TECHNOLOGIES

Incoming traffic / Outgoing traffic

Internet
Incoming traffic
(Allow, but Inspected)
( Low to High )

outside ( 0 )

dmz ( 50 )

inside ( 100 )

(Block, Explicitly Allow) Outgoing traffic

( High to Low )

2016 RHC Technologies #LIKE #FOLLOW #WATCH

 R H C
TECHNOLOGIES

Facebook : 173.252.74.68/32
LAB Youtube : 172.217.25.174/32

Internet
#show int ip brief
ASA
150.1.1.0/24 int g0
nameif inside
security-level 100
outside ( 0 ) ip add 10.1.1.100 255.255.255.0
int g1
nameif outside
dmz ( 50 ) security-level 0
192.168.5.5/24 ip add 150.1.1.100 255.255.255.0
192.168.1.0/24 !
int g2
inside ( 100 ) nameif dmz
security-level 50
ip add 192.168.1.100 255.255.255.0
!
10.1.1.0/24

10.10.10.10/24

2016 RHC Technologies #LIKE #FOLLOW #WATCH

 R H C
TECHNOLOGIES

Verify ping test on ASA !

ASA
ASA#ping 173.252.74.68
ASA#ping 10.10.10.10
ASA#ping 192.168.5.5

SUCCESS [or] FAIL ?

2016 RHC Technologies #LIKE #FOLLOW #WATCH

 R H C
TECHNOLOGIES

Facebook : 173.252.74.68/32
Youtube : 172.217.25.174/32

Internet

150.1.1.0/24

outside ( 0 ) #show route

ASA
dmz ( 50 ) route outside 0 0 150.1.1.1
192.168.5.5/24 route inside 10.10.10.0 255.255.255.0 10.1.1.1
route dmz 192.168.5.0 255.255.255.0 192.168.1.1
192.168.1.0/24
inside ( 100 )

10.1.1.0/24

10.10.10.10/24

2016 RHC Technologies #LIKE #FOLLOW #WATCH

 R H C
TECHNOLOGIES

Verify ping test on ASA !

ASA
ASA#ping 173.252.74.68
ASA#ping 10.10.10.10
ASA#ping 192.168.5.5

SUCCESS [or] FAIL ?

2016 RHC Technologies #LIKE #FOLLOW #WATCH

 R H C
TECHNOLOGIES

Configure default routes from LAN , DMZ and INTERNET !

LAN#ip route 0.0.0.0 0.0.0.0 10.1.1.100

DMZ#ip route 0.0.0.0 0.0.0.0 192.168.1.100
INTERNET#ip route 0.0.0.0 0.0.0.0 150.1.1.100

2016 RHC Technologies #LIKE #FOLLOW #WATCH

 R H C
TECHNOLOGIES

Verify ping test from LAN to INTERNET !

LAN
LAN#ping 173.252.74.68
LAN#ping 173.252.74.68 source lo0

SUCCESS [or] FAIL ?

Outbound traffic : Low > High is OK ( inspected )

Inbound traffic : High > Low is DROP ( require ACL )

2016 RHC Technologies #LIKE #FOLLOW #WATCH

 R H C
TECHNOLOGIES

Configure vty password & enable password on LAN , DMZ and INTERNET !

LAN
line vty 0 4
password testlan
!
enable password testlan
!

DMZ
line vty 0 4
password testdmz
!
enable password testdmz
!

INTERNET
line vty 0 4
password testout
!
enable password testout
!
2016 RHC Technologies #LIKE #FOLLOW #WATCH
 R H C
TECHNOLOGIES

Verify telnet test from LAN < > INTERNET // LAN < > DMZ // DMZ < > INTERNET

LAN
LAN#telnet 173.252.74.68

LAN#telnet 173.252.74.68 /source-interface lo0

INTERNET
INTERNET#telnet 10.10.10.10

INTERNET#telnet 10.10.10.10 /source-interface lo0

Please also test LAN < > DMZ // DMZ < > INTERNET.

SUCCESS [or] FAIL ?

2016 RHC Technologies #LIKE #FOLLOW #WATCH

 R H C
TECHNOLOGIES

Configure ACL to allow telnet traffic from INTERNET to LAN!

ASA
access-list INTERNET_LAN permit tcp any any eq telnet
!
access-group INTERNET_LAN in interface outside
!

Verify telnet test from INTERNET to LAN

INTERNET
INTERNET#telnet 10.10.10.10
INTERNET#telnet 10.10.10.10 /source-interface lo0
INTERNET#telnet 10.10.10.10 /source-interface lo1

SUCCESS [or] FAIL ?

2016 RHC Technologies #LIKE #FOLLOW #WATCH

 R H C
TECHNOLOGIES

Configure ACL to allow telnet traffic from DMZ to LAN!

ASA
access-list DMZ_LAN permit tcp any any eq telnet
!
access-group DMZ_LAN in interface dmz
!

Verify telnet test from DMZ to LAN

DMZ
DMZ#telnet 10.10.10.10
DMZ#telnet 10.10.10.10 /source-interface lo0

SUCCESS [or] FAIL ?

2016 RHC Technologies #LIKE #FOLLOW #WATCH

 R H C
TECHNOLOGIES

Verify telnet test from INTERNET to DMZ !

INTERNET
INTERNET#telnet 192.168.5.5
INTERNET#telnet 192.168.5.5 /source-interface lo0
INTERNET#telnet 192.168.5.5 /source-interface lo1

Why SUCCESS ?
Because of the below config we configured in the previous step.

ASA
access-list INTERNET_LAN permit tcp any any eq telnet
!
access-group INTERNET_LAN in interface outside
!

2016 RHC Technologies #LIKE #FOLLOW #WATCH

 R H C
TECHNOLOGIES

Delete the below config

ASA
NO access-list INTERNET_LAN permit tcp any any eq telnet
!
NO access-group INTERNET_LAN in interface outside
!

After deleting the config,

We cannot be able to TELNET from INTERNET to LAN, and also from INTERNET to DMZ.
But we still can be able to telnet from DMZ to LAN.

2016 RHC Technologies #LIKE #FOLLOW #WATCH

 R H C
TECHNOLOGIES

Configure the policy as below :

1) ONLY Allow TELNET from 173.252.74.68 to LAN.
2) ONLY Allow TELNET from 172.217.25.174 to DMZ.

ASA
access-list INTERNET_LAN permit tcp host 173.252.74.68 10.10.10.0 255.255.255.0 eq telnet
!
access-list INTERNET_LAN permit tcp host 172.217.25.174 192.168.5.0 255.255.255.0 eq telnet
!
access-group INTERNET_LAN in interface outside
!

2016 RHC Technologies #LIKE #FOLLOW #WATCH

 R H C
TECHNOLOGIES

Verify telnet test from INTERNET to LAN !

INTERNET
INTERNET#telnet 10.10.10.10 > {success/fail}
INTERNET#telnet 10.10.10.10 /source-interface lo0 > {success/fail}
INTERNET#telnet 10.10.10.10 /source-interface lo1 > {success/fail}

Verify telnet test from INTERNET to DMZ !

INTERNET
INTERNET#telnet 192.168.5.5 > {success/fail}
INTERNET#telnet 192.168.5.5 /source-interface lo0 > {success/fail}
INTERNET#telnet 192.168.5.5 /source-interface lo1 > {success/fail}

2016 RHC Technologies #LIKE #FOLLOW #WATCH

 R H C
TECHNOLOGIES

Configure the policy as below :

1) Allow ping ( ICMP ) from LAN to DMZ.
2) Allow ping ( ICMP ) from LAN to INTERNET.

ASA
access-list INTERNET_LAN permit icmp any any echo-reply
!
access-list DMZ_LAN permit icmp any any echo-reply
!
access-group INTERNET_LAN in interface outside
!
access-group DMZ_LAN in interface dmz

2016 RHC Technologies #LIKE #FOLLOW #WATCH

 R H C
TECHNOLOGIES

Verify ping test from LAN to INTERNET & DMZ !

LAN

LAN#ping 173.252.74.68 source lo0

LAN#ping 192.168.5.5 source lo0

SUCCESS [or] FAIL ?

Outbound traffic : Low > High is OK ( inspected )

Inbound traffic : High > Low is OK ( required ACL is configured )

2016 RHC Technologies #LIKE #FOLLOW #WATCH

 R H C
TECHNOLOGIES

Configure the policy as below :

1) Allow ping ( ICMP ) from INTERNET to LAN.
2) Allow ping ( ICMP ) from DMZ to LAN.

ASA
access-list INTERNET_LAN permit icmp any any echo
access-list INTERNET_LAN permit icmp any any echo-reply
!
access-group INTERNET_LAN in interface outside
!
access-list DMZ_LAN permit icmp any any echo
access-list DMZ_LAN permit icmp any any echo-reply
!
access-group DMZ_LAN in interface dmz

2016 RHC Technologies #LIKE #FOLLOW #WATCH

 R H C
TECHNOLOGIES

Verify ping test from INTERNET to LAN & DMZ to LAN!

ping test
INTERNET#ping 10.10.10.10 source lo0
INTERNET#ping 10.10.10.10 source lo1
INTERNET#ping 192.168.5.5 source lo0
INTERNET#ping 192.168.5.5 source lo1

DMZ#ping 10.10.10.10 source lo0

DMZ#ping 10.10.10.10 source lo1

SUCCESS {or} FAIL ?

2016 RHC Technologies #LIKE #FOLLOW #WATCH

 R H C
TECHNOLOGIES
Facebook : 173.252.74.68/32
LAB Youtube : 172.217.25.174/32
Google DNS : 8.8.8.8/32 , 8.8.4.4/32

Internet
#show int ip brief
ASA
150.1.1.0/24 int g0
nameif inside
security-level 100
outside ( 0 ) ip add 10.1.1.100 255.255.255.0
int g1
nameif outside
dmz ( 50 ) security-level 0
192.168.5.5/24 ip add 150.1.1.100 255.255.255.0
192.168.1.0/24 !
int g2
inside ( 100 ) nameif dmz
security-level 50
ip add 192.168.1.100 255.255.255.0
!
10.1.1.0/24

10.10.10.10/24

2016 RHC Technologies #LIKE #FOLLOW #WATCH

 R H C
TECHNOLOGIES
Facebook : 173.252.74.68/32
Youtube : 172.217.25.174/32
Google DNS : 8.8.8.8/32 , 8.8.4.4/32

Internet

150.1.1.0/24

outside ( 0 ) #show route

ASA
dmz ( 50 ) route outside 0 0 150.1.1.1
192.168.5.5/24 route inside 10.10.10.0 255.255.255.0 10.1.1.1
route inside 11.11.11.0 255.255.255.0 10.1.1.1
192.168.1.0/24 route inside 12.12.12.0 255.255.255.0 10.1.1.1
inside ( 100 ) route dmz 192.168.5.0 255.255.255.0 192.168.1.1

10.1.1.0/24

10.10.10.10/24

2016 RHC Technologies #LIKE #FOLLOW #WATCH

 R H C
TECHNOLOGIES

Configure the policy using object-group as below :

ASA
object-group network GoogleDNS
network-object host 8.8.8.8
network-object host 8.8.4.4
!
object-group network LAN
network-object 10.10.10.0 255.255.255.0
network-object 11.11.11.0 255.255.255.0
network-object 12.12.12.0 255.255.255.0
!
object-group service PING
service-object icmp echo
service-object icmp echo-reply
!
access-list INTERNET_LAN permit object-group PING object-group GoogleDNS object-group LAN
!
access-group INTERNET_LAN in interface outside

2016 RHC Technologies #LIKE #FOLLOW #WATCH

 R H C
TECHNOLOGIES

Verify ping test from INTERNET to LAN!

ping test
INTERNET#ping 10.10.10.10 source lo0
INTERNET#ping 10.10.10.10 source lo1
INTERNET#ping 10.10.10.10 source lo2
INTERNET#ping 10.10.10.10 source lo3

INTERNET#ping 11.11.11.11 source lo0

INTERNET#ping 11.11.11.11 source lo1
INTERNET#ping 11.11.11.11 source lo2
INTERNET#ping 11.11.11.11 source lo3

INTERNET#ping 12.12.12.12 source lo0

INTERNET#ping 12.12.12.12 source lo1
INTERNET#ping 12.12.12.12 source lo2
INTERNET#ping 12.12.12.12 source lo3

2016 RHC Technologies #LIKE #FOLLOW #WATCH

 R H C
TECHNOLOGIES
Facebook : 173.252.74.68/32
LAB Youtube : 172.217.25.174/32
Google DNS : 8.8.8.8/32 , 8.8.4.4/32

DMZ Internet
line vty 0 4
password testdmz
! 150.1.1.0/24
enable password testdmz
! outside ( 0 )

192.168.5.5/24 dmz ( 50 )
150.1.1.5/32
192.168.1.0/24
inside ( 100 )
ASA
Object network DMZ-Private
host 192.168.5.5
! 10.1.1.0/24
Object network DMZ-Public
host 150.1.1.5
!
nat(dmz,outside) source static DMZ-Private DMZ-Public
! 10.10.10.10/24
Access-list INTERNET_LAN permit tcp any any eq telnet

2016 RHC Technologies #LIKE #FOLLOW #WATCH

 R H C
TECHNOLOGIES

Verify telnet from INTERNET to DMZ Public IP!

ping test
INTERNET#telnet 150.1.1.5 /source-interface lo0
INTERNET#telnet 150.1.1.5 /source-interface lo1
INTERNET#telnet 150.1.1.5 /source-interface lo2
INTERNET#telnet 150.1.1.5 /source-interface lo3

2016 RHC Technologies #LIKE #FOLLOW #WATCH

 R H C
TECHNOLOGIES

RHC Technologies
#LIKE #FOLLOW #WATCH

www.rhctechnologies.com