The Multi-Vendor Networking Forum and Resources
Cisco ASA Configuration Version 8.3+

 


The
Cisco ASA 5500 is a very flexible and solid Firewall with many features. Cisco made a major change in the NAT configuration when they came out with version 8.3. These changes were very confusing to me and I assume they were for many of you too. Below I have added a few examples of NAT configuration to help make your life easier. These few examples only cover what I think would be the most popular NAT uses. For more information on NAT in version 8.3 and above, please read the release notes and the ASA Migration Guide. I have also added some basic configuration and troubleshooting tips for you.
**This document does not cover VPN**

Before version 8.3 the ACL on the interface filtered the traffic, then the NAT occured. This order has changed starting with version 8.3. On an incoming packet, the NAT is performed, then the ACL is applied. Due to this change, you need to have the inside IP's in the ACL instead of the outside (Public) IP.

Jump to the section you are looking for

General Cisco ASA Firewall Configuration

 
The Cisco ASA product line is a very flexible and complex device. There are many features to this platform. Below you will see a small sample of the configuration that an ASA needs to get up and running. You need to do your research by reading the ASA configuration guide for the level of software you are running to make sure you setup your ASA as secure as your business demands.

HA Pair Configuration


failover                                                                                  --> Enables Failover feature
failover lan unit [primary|secondary]                                           --> Tells this unit if it is the Primary or secondary
failover lan interface failover GigabitEthernet<SLOT/PORT>           --> Port used for the cross connect to talk to the other ASA
failover link state GigabitEthernet<SLOT/PORT>                                     --> Port used for the State Information to sync 
failover interface ip failover 172.16.1.1 255.255.255.252 standby 172.16.1.2  --> IP addresses for the failover link
failover interface ip state 172.16.2.1 255.255.255.252 standby 172.16.2.1    --> IP addresses for the state link

monitor-interface <Ifname>      --> You have to add this command for every interface that you want to monitor for failure. If a monitored interface goes down, the ASA will fail to the other unit.

Interface Configuration

interface Gigabitethernet <SLOT/PORT.VLAN#>
 description <Add a usefull description Here>                                    --> Tells you about this interface
 vlan <VLAN number that maches the VLAN on the switch port>        --> VLAN if using VLAN tagging
 nameif <Name for the interface>                                                   --> You will apply Access Lists to this name
 security-level 50                                                                           --> Security Level 0 thru 100, 100 is the most secure
 ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2              --> IP address for this interface and the Standby ASA

* The above configuration is for a VLAN interface. You would use this when you want to have a single physical interface servicing multiple DMZ's. You can add multiple VLAN's on the port.
* If you are not using multiple VLAN's on a single port, simply remove the "VLAN" command and the VLAN on the interface.
* If you do not have a HA pair, you don't need the standby IP address




SSH AND HTTP Configuration

ssh 192.168.10.0 255.255.255.0 <ifname>     --> Enables ssh access from 192.168.10.0/24 to a specific interface.
     *You can only SSH to the first interface the SSH packet uses to enter the ASA.
ssh timeout <Number of Minutes>                --> Sets the SSH time out, value is in minutes
ssh version 2                                              --> Sets the SSH version number to 2

http 192.168.10.0 255.255.255.0 <ifname>  --> Enables http access from 192.168.10.0/24 to a specific interface.

Access list and how to apply it

There are many ways of creating an access list, it is very similar to an access list on a router, but there is NO "IP" at the beginning. The below is only one example. There is an implicit deny at the bottom, except for the global ACL, then it's an implicit PERMIT at the bottom.  (This is true on Version 8.3)

access-list <acl name> extended permit ip host 192.168.5.1 host 172.17.3.1
access-group <acl name> [in|out] interface <ifname>  --> applies the access list to the interface using the ifname


SNMP Configuration

snmp-server host <ifname> <IP of Server> community <COMMUNITY STRING> version 2c
snmp-server community <COMMUNITY STRING>
snmp-server enable traps

Miscellaneous

same-security-traffic permit inter-interface       --> Allows communication between different interfaces with same security levels.
    - Only use this command if you want this to happen, could cause a security issue.
same-security-traffic permit intra-interface       --> Allows communication on the same interface, comes in, then back out.
    - Only use this command if you want this to happen, could cause a security issue.
mtu <ifname> <size in bytes>                       --> Set the MTU for this interface
logging enable                                             --> Enables Logging
logging timestamp                                        --> Enables Timestamps
logging buffer-size <buffer size>                               --> Sets the logging buffer
logging buffered informational                        --> Sets the logging level
logging trap informational                              --> Sets the trap level
logging asdm informational                             --> Sets the logging level for logs going to ASDM
logging host <ifname> <IP Address>             --> IP address of Syslog server, Interface ifname the logs would leave the ASA

If you found this helpful, help me by checking out the advertisement below. Thank you!





To the top of the page

NAT Configurations on Cisco ASA 5500


1 to 1 static NAT
        Cisco Calls this Auto-NAT or Object NAT

Example, I want a specific host to leave the company on a specific public IP.
Inside Host = 192.168.1.1
Outside Host = 10.1.1.1

object network <Name or PUBLIC-IP>
 host <PRIVATE-IP>

nat (inside,outside) static <PUBLIC-IP>

Example with IP's

object network STATIC-192.168.1.1
host 192.168.1.1
 nat (inside,outside) static 10.1.1.1

1 to 1 NAT and specify a destination and port it can use
       
Cisco Calls this Manual NAT or Twice NAT

Example, I want a specific host to leave the company on a specific public IP, but only allowd to a specific destination IP address on a specific port.

object-group network <source object>
 network-object <INSIDE IP ADDRESSES>

object network <object of public ip>
 host <OUTSIDE PUBLIC IP>

object service <obj-www>
  service tcp destination eq www

object network <object of destination IP>
 host <DESTINATION PUBLIC IP>

Nat (source_interface, egress_interface) source dynamic <source object> <object of public ip> destination static <object of destination IP> <object of destination IP> service <obj-www> <obj-www>

***needs <object of destination IP> two times at the end
***needs <obj-www> two times at the end

1ink.com


1 to 1 NAT with a specific destination specified

Example, I want a specific host to leave the company on a specific public IP, but only allowd to a specific IP address.
Inside Host = 192.168.1.1
Public IP = 10.1.1.1
Destination = 172.16.5.1

object-group network <source object>
 network-object <INSIDE IP ADDRESSES>

object network <object of public ip>
 host <OUTSIDE PUBLIC IP>

object network <object of destination IP>
 host <DESTINATION PUBLIC IP>

Nat (source_interface, outside) source dynamic <source object> <object of public ip> destination static <object of destination IP> <object of destination IP>

***needs <object of destination IP> two times at the end

Example:
The Nat statement above is the same, this is how you would fill out the Object groups for this example.

object-group network <source object>
  host 192.168.1.1
object network <object of public ip>
  host 10.1.1.1
object network <object of destination IP>
  host 172.16.5.1

Overload NAT or PAT

Example, I want all of my end users to leave the company on the same public IP.
Inside Hosts = 192.168.1.0/24
Outside IP = 10.1.1.2

object-group network <OBJECT-GROUP NAME - 1>
 network-object <INSIDE IP ADDRESSES>

object network <OBJECT-GROUP NAME - 2>
 host <OUTSIDE PUBLIC IP>

nat (Inside,Outside) after-auto source dynamic <OBJECT-GROUP NAME - 1> <OBJECT-GROUP NAME - 2>

Example with IP's
object-group network NAT-OVERLOAD-INSIDE-OUT
 network-object 192.168.1.0 255.255.255.0

object network PUBLIC-IP
 host 10.1.1.2

nat (Inside,Outside) after-auto source dynamic NAT-OVERLOAD-INSIDE-OUT PUBLIC-IP

***Due to the order of operation, the Overload NAT goes before the 1 to 1 NAT. If your IP's overlap, like in these examples, you must use the "after-auto" in the your nat statement. If you do not do this, when 192.168.1.1 gets NAT'd, it will go out as the Overload IP instead of the static IP.


 
NAT Exemption

object network <inside-object>
subnet 172.16.1.0 255.255.255.0
object network <destination-object>
subnet 192.168.1.0 255.255.255.0
nat (any,any) source static inside inside destination static DMZ DMZ

nat (<source interface>,<destination interface>) source static <inside-object> <inside-object> destination <destination-object> <destination-object>

This configuration may be confusing, because there is nothing that says DO NOT NAT. The command is NATing the source IP to itself, therefore keeping the IP's the same.



To the top of the page


If you found this helpful, help me by checking out the advertisement below. Thank you!