NOTE: Click the DOWNLOAD link to the right to download the free config files associated with this lab.
Welcome to CCDA live where I’ll be doing a case study on the Cisco ASA, and we’ll see how this device enables net-talk segmentation and access control.
In this lab, we have one ASA and we have three routers. This guy would act as the inside router, this would be the DMZ router, and this would be the outside router. These are the IP addresses configured on the different interfaces.
Let’s go to the ASA and see what we have. If I enable and do a show run … What I have right now is the Gigabit 00. That’s the outside interface. Notice that we have the nameif, the security level is 0, and this is the IP address. For the inside, the security level is 100 and for the the DMZ, the security level is 50. Something I’ve also done is to inspect ICMP.
By default, ICMP inspection is not enabled. If you notice here, I have added ICMP. That’s it; I’ve added ICMP. If we ping from a higher security level interface to, say, lower security level interface, then the request, or the return in traffic will be inspected back.
If I come to the inside … Now, because the inside is on a security level of 100, if I ping 172.16.1 … Actually, let’s check what the IP address of this guy is … Show IP interface brief; we get .100 so if I ping .100 … As you can see, that goes through. Also, if I ping the outside … Assuming the outside interface so let’s check. Show IP route. Assuming he knows about the inside interface, so right now, he doesn’t know. We don’t have any NAT configured.
I don’t think I have NAT configured on this ASA, so let’s check that. Show run NAT, so it wouldn’t go through because this guy wouldn’t know how to get back. One thing I’m just going to do, let me just add a route. Let’s just say config c, just so that we can test. Of course, in a normal network, you would not add a default route to your internal network. Just so that I can test 2.1.
If I come to the inside and I ping 192.0.2. … what’s this guy’s IP address … do a show IP interface brief. Okay, .2. As you can see, it also goes through. Because this guy is on a higher security level interface, it can go to anywhere.
Now, let’s come to the DMZ and try to ping the inside, and we’ll also try to ping the outside. The DMZ is on a security level of 50. 50 will not be able to go to 100 by default, but 50 will able to go to 0. Let’s check DMZ ping 10.0.100.100 … I believe that’s the IP address of the inside. Let’s just confirm: show IP interface brief … .100.
As you can see, it’s not going to go through. If I were to enable … login on this guy, login console 7, and I do that ping again [inaudible 00:03:37] twice. As you can see it says, it’s deny inbound ICMP. It’s going to deny it by default, but if the DMZ wants to ping the outside, so 2.2, as you can see, that goes through.
CCNA Quad Instant Pricing – Intense
This guy is on 100, this guy is on 50, this guy is on 0. If you come to the outside, the outside will not be able to get to anybody. If I wanted to ping 10.0.100.100, it would not go through, right? The ASA is going to deny that, and it’s also going to deny 172.16.1.100. Right, it’s going to deny that by default.
What do we do when, for example, for the guys on the outside, they should be able to get to … maybe there’s a web server in the DMZ. What do we do? We actually use access list. In this case, we’re not using any NATs, but NAT also plays an important role. In this case, we’ll not use NATs so just stick to the access list.
Come here. Something we can do, let’s check this guy. Show run section IP http. Let’s enable the http server. Let’s say IP http server … If I go from the inside, for example, if I turn it to 172.16.1.100.80. As you can see, it says open. We can use that to test while just simulating like a web server there.
Come to the ASA and say that anybody coming from the outside should be able to access that web server. I’ll come here … No login on … Create an access list. Let’s call it OUT_IN and then we permit … We want to permit http traffic so permit http from anybody to the particular host 1.100 on port 80. Then, we just apply that access list so OUT_IN inbound … so I apply it inbound on our interface outside.
What would happen now is, if this guy from the outside … Actually, let’s remove it and let’s test without that. Let’s turn it to 172.16.1.100 on port 80. As you can see, that will not go through. The ASA is going to block it, and then would add the access list and then would try again. As you can see, it says open.
The access list is how you’re going to allow devices that are on a lower security interface to access devices that are on a higher security level interface. In this case, we’ve allowed only TCP so if we tried to ping, ping will still not go through. Right? Cool.
The ASA is really nice because it helps with both network segmentation and access control.