You can leverage two ASA features to control or limit the amount of bandwidth used by specific traffic flows:
* Traffic policing
* Traffic shaping
With either method, the ASA measures the bandwidth used by traffic that is classified by a service policy and then attempts to hold the traffic within a configured rate limit. However, each method accomplishes the bandwidth control in a different manner.
With traffic policing, the packets are forwarded normally as long as the bandwidth threshold is not exceeded. However, packets that do exceed the bandwidth threshold are simply dropped.
In contrast, traffic shaping takes a more preemptive approach. Traffic is buffered before it is forwarded so that the traffic rate can be shaped or held within the threshold limit. The idea is to pull packets from the buffer at a rate that is less than the threshold so that no packets are dropped.
To use ASDM to configure traffic policing, begin by navigating to Configuration > Firewall > Service Policy Rules and adding a new service policy rule or editing an existing one. Define a matching condition that will classify the traffic that will be policed. Next, click the QoS tab in the Rule Action dialog box. Check the Enable Policing check box, and then choose either Input Policing or Output policing.
Use the police command as the action to send the matched traffic into a traffic policer.
ciscoasa(config)# access-list OUTBOUND_HTTP extended permit tcp any eq http any
ciscoasa(config)# class-map CLASS_HTTP
ciscoasa(config-cmap)# match ?
mpf-class-map mode commands/options:
access-list Match an Access List
any Match any packet
default-inspection-traffic Match default inspection traffic:
ctiqbe----tcp--2748 dns-------udp--53
ftp-------tcp--21 gtp-------udp--2123,3386
h323-h225-tcp--1720 h323-ras--udp--1718-1719
http------tcp--80 icmp------icmp
ils-------tcp--389 ip-options-----rsvp
mgcp------udp--2427,2727 netbios---udp--137-138
radius-acct----udp--1646 rpc-------udp--111
rsh-------tcp--514 rtsp------tcp--554
sip-------tcp--5060 sip-------udp--5060
skinny----tcp--2000 smtp------tcp--25
sqlnet----tcp--1521 tftp------udp--69
waas------tcp--1-65535 xdmcp-----udp--177
dscp Match IP DSCP (DiffServ CodePoints)
flow Flow based Policy
port Match TCP/UDP port(s)
precedence Match IP precedence
rtp Match RTP port numbers
tunnel-group Match a Tunnel Group
ciscoasa(config-cmap)# match access-list ?
mpf-class-map mode commands/options:
WORD Access List name
ciscoasa(config-cmap)# match access-list OUTBOUND_HTTP
ciscoasa(config-cmap)# exit
ciscoasa(config)# policy-map MY_POLICY
ciscoasa(config-pmap)# ?
MPF policy-map configuration commands
class Policy criteria
description Specify policy-map description
exit Exit from MPF policy-map configuration mode
help Help for MPF policy-map configuration commands
no Negate or set default values of a command
rename Rename this policy-map
<cr>
ciscoasa(config-pmap)# class CLASS_HTTP
ciscoasa(config-pmap-c)# ?
MPF policy-map class configuration commands:
exit Exit from MPF class action configuration mode
help Help for MPF policy-map class/match submode commands
no Negate or set default values of a command
police Rate limit traffic for this class
priority Strict scheduling priority for this class
quit Exit from MPF class action configuration mode
service-policy Configure QoS Service Policy
set Set connection values
shape Traffic Shaping
user-statistics configure user statistics for identity firewall
<cr>
csc Content Security and Control service module
flow-export Configure filters for NetFlow events
inspect Protocol inspection services
ips Intrusion prevention services
ciscoasa(config-pmap-c)# police ?
mpf-policy-map-class mode commands/options:
input Police traffic in input direction
output Police traffic in output direction
ciscoasa(config-pmap-c)# police output ?
mpf-policy-map-class mode commands/options:
<8000-2000000000> Bits per second
ciscoasa(config-pmap-c)# police output 1000000 ?
mpf-policy-map-class mode commands/options:
<1000-512000000> Burst bytes
conform-action action when rate is less than conform burst
<cr>
ciscoasa(config-pmap-c)# police output 1000000 conform-action ?
mpf-policy-map-class mode commands/options:
drop drop packet
exceed-action action when rate is within conform and conform + exceed burst
transmit transmit packet
<cr>
ciscoasa(config-pmap-c)# police output 1000000 conform-action transmit ?
mpf-policy-map-class mode commands/options:
exceed-action action when rate is within conform and conform + exceed burst
<cr>
ciscoasa(config-pmap-c)# police output 1000000 conform-action transmit exceed-action ?
mpf-policy-map-class mode commands/options:
drop drop packet
transmit transmit packet
<cr>
ciscoasa(config-pmap-c)# police output 1000000 conform-action transmit exceed-action drop
ciscoasa(config-pmap-c)# exit
ciscoasa(config-pmap)# exit
ciscoasa(config)# service-policy MY_POLICY ?
configure mode commands/options:
global Enter this keyword to specify a global policy
interface Enter this keyword to specify an interface policy
ciscoasa(config)# service-policy MY_POLICY interface ?
configure mode commands/options:
Current available interface(s):
dmz Name of interface GigabitEthernet1
inside Name of interface GigabitEthernet0
outside Name of interface GigabitEthernet2
ciscoasa(config)# service-policy MY_POLICY interface outside
To configure traffic shaping in ASDM, begin by adding a new service policy rule or edit an existing one. Traffic shaping doesn't shape specific matched traffic; it shapes the default traffic that isn't matched or classified by any other traffic class. Therefore, you have to use the class-default class map to match the traffic. This is done by selecting the Use Class-Default As the Traffic Class option in the Traffic Classification Criteria dialog box.
Next, click the QoS tab in the Rule Actions dialog box and check Enable Traffic Shaping as the policy action. If you choose any matching criteria other than class-default, the Enable Traffic Shaping option will not be shown.
You can use the shape command as the action to send the matched traffic into a traffic shaper. Traffic shaping can be applied only to the bulk amount of traffic passing through an interface. Therefore, the matching condition you enter into the policy map configuration is important. The only permissible command is class class-default, followed by the shape command action.
ciscoasa(config)# policy-map outside-policy
ciscoasa(config-pmap)# class ?
mpf-policy-map mode commands/options:
WORD class-map name
class-default System default class matching otherwise unclassified packets
configure mode commands/options:
WORD < 41 char class-map name
type Specifies the type of class-map
ciscoasa(config-pmap)# class class-default
ciscoasa(config-pmap-c)# ?
MPF policy-map class configuration commands:
exit Exit from MPF class action configuration mode
help Help for MPF policy-map class/match submode commands
no Negate or set default values of a command
police Rate limit traffic for this class
priority Strict scheduling priority for this class
quit Exit from MPF class action configuration mode
service-policy Configure QoS Service Policy
set Set connection values
shape Traffic Shaping
user-statistics configure user statistics for identity firewall
<cr>
csc Content Security and Control service module
flow-export Configure filters for NetFlow events
inspect Protocol inspection services
ips Intrusion prevention services
ciscoasa(config-pmap-c)# shape ?
mpf-policy-map-class mode commands/options:
average configure token bucket: CIR (bps) [Bc (bits)], send out Bc only per
interval
ciscoasa(config-pmap-c)# shape average ?
mpf-policy-map-class mode commands/options:
<64000-154400000> Target Bit Rate (bits per second), the value needs to be
multiple of 8000
ciscoasa(config-pmap-c)# shape average 100000000
ciscoasa(config-pmap-c)# exit
ciscoasa(config-pmap)# exit
ciscoasa(config)# service-policy ?
configure mode commands/options:
Available policy-maps:
outside-policy
ciscoasa(config)# service-policy outside-policy interface ?
configure mode commands/options:
Current available interface(s):
dmz Name of interface GigabitEthernet1
inside Name of interface GigabitEthernet0
outside Name of interface GigabitEthernet2
ciscoasa(config)# service-policy outside-policy interface outside
Sunday, October 27, 2013
Saturday, October 19, 2013
Configuring Virtual Firewall on an ASA
Limitations
Here are some important limitations regarding virtual firewalls on a Cisco ASA:
* Key features that are unsupported on a Cisco ASA in multiple mode are dynamic routing protocols, IPsec and SSL VPNs, multicast IP routing, threat detection, and Phone Proxy.
* The Cisco ASA 5505 does not support multiple mode. (This personally frustrates me).
* The number of Security Contexts you can create depends on the software licenses and the Cisco ASA hardware model used.
I had a discussion with our core design engineer and he mentioned that we should be able to run IPsec site-to-site VPNs on context-based firewalls. And sure enough after doing some research, Cisco has finally released a code to support this feature.
As of ASA code 9.0+, there's been an enhancement to support some of these features especially on Multi-Context VPN. Refer to useful links:
http://sevenlayers.wordpress.com/2012/09/13/cisco-multi-conext-vpn-is-finally-here-in-asa-release-9-0-a-few-years-too-late/
http://www.cisco.com/c/en/us/products/collateral/security/adaptive-security-appliance-asa-software/data_sheet_c78-714849.html
Configuration Tasks
Here is an overview for the configuration of virtual firewalls on the Cisco ASA.
Step 1: Enable multiple mode on the Cisco ASA.
Step 2: Create a Security Context.
Step 3: Allocate interfaces to the context.
Step 4: Specify the startup configuration location for the context.
Step 5: Configure the Security Context resource management.
Step 6: Configure each Security Context as a separate security appliance.
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 100 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
Security Contexts : 2 perpetual // EXCLUDES SYSTEM AND ADMIN CONTEXT
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 5000 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 5000 perpetual
Total VPN Peers : 0 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
This platform has an ASA 5520 VPN Plus license.
ciscoasa# configure terminal
ciscoasa(config)# mode ?
configure mode commands/options:
multiple Multiple mode; mode with security contexts
noconfirm Do not prompt for confirmation
single Single mode; mode without security contexts
ciscoasa(config)# mode multiple
WARNING: This command will change the behavior of the device
WARNING: This command will initiate a Reboot
Proceed with change mode? [confirm]
Convert the system configuration? [confirm]
!
The old running configuration file will be written to flash
Converting the configuration - this may take several minutes for a large configuration
The admin context configuration will be written to flash
The new running configuration file was written to flash
Security context mode: multiple
***
*** --- SHUTDOWN NOW ---
***
*** Message to all terminals:
***
*** change mode
REBOOT: open message queue fail: No such file or directory/2
REBOOT: enforce reboot...
Restarting system.
machine restart
<OUTPUT TRUNCATED>
ciscoasa# configure terminal
ciscoasa(config)# interface gigabitethernet0 // WE UNSHUT MAIN INTERFACES IN SYSTEM CONTEXT
ciscoasa(config-if)# ?
Interface configuration commands:
channel-group Etherchannel/port bundling configuration
default Set a command to its defaults
description Interface specific description
exit Exit from interface configuration mode
help Interactive help for interface subcommands
lacp LACP interface subcommands
no Negate a command or set its defaults
shutdown Shutdown the selected interface
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# interface gigabitethernet1
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# exit
ciscoasa(config)# context ?
configure mode commands/options:
WORD Symbolic name of the context
ciscoasa(config)# context CONTEXT-A
Creating context 'CONTEXT-A'... Done. (2)
ciscoasa(config-ctx)# ?
Context configuration commands:
allocate-interface Allocate interface to context
allocate-ips Allocate IPS virtual sensor to context
config-url Configure URL for a context configuration
description Provide a description of the context
exit Exit from context configuration mode
help Interactive help for context subcommands
join-failover-group Join a context to a failover group
member Configure class membership for a context
no Negate a command
ciscoasa(config-ctx)# allocate-interface ?
context mode commands/options:
WORD Indicate interfaces assigned to the context
ciscoasa(config-ctx)# allocate-interface gigabitethernet0 ?
context mode commands/options:
WORD Optional interface name mapping for the context
invisible Optional flag for hiding hardware property in context (default)
visible Optional flag for publishing hardware property in context
<cr>
ciscoasa(config-ctx)# allocate-interface gigabitethernet0 intg0
ciscoasa(config-ctx)# allocate-interface gigabitethernet1 intg1
ciscoasa(config-ctx)# config-url ?
context mode commands/options:
disk0: A URL beginning with this prefix for the context's config (file need
not exist)
flash: A URL beginning with this prefix for the context's config (file need
not exist)
ftp: A URL beginning with this prefix for the context's config (file need
not exist)
http: A URL beginning with this prefix for the context's config (file need
not exist)
https: A URL beginning with this prefix for the context's config (file need
not exist)
smb: A URL beginning with this prefix for the context's config (file need
not exist)
tftp: A URL beginning with this prefix for the context's config (file need
not exist)
ciscoasa(config-ctx)# config-url disk0:/CONTEXT-A.cfg
WARNING: Could not fetch the URL disk0:/CONTEXT-A.cfg
INFO: Creating context with default config
ciscoasa/CONTEXT-A(config)# interface intg0
ciscoasa/CONTEXT-A(config-if)# ip address 192.168.1.1 255.255.255.0
ciscoasa/CONTEXT-A(config-if)# no shutdown
ciscoasa/CONTEXT-A(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ciscoasa/CONTEXT-A(config-if)# interface intg1
ciscoasa/CONTEXT-A(config-if)# ip address 209.165.200.1 255.255.255.0
ciscoasa/CONTEXT-A(config-if)# no shutdown
ciscoasa/CONTEXT-A(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
ciscoasa(config-ctx)# exit
ciscoasa(config)# context CONTEXT-B
Creating context 'CONTEXT-B'... Done. (3)
ciscoasa(config-ctx)# allocate-interface gigabitethernet0 intg0
ciscoasa(config-ctx)# allocate-interface gigabitethernet1 intg1
ciscoasa/CONTEXT-B(config)# interface intg0
ciscoasa/CONTEXT-B(config-if)# ip address 172.16.1.1 255.255.255.0
ciscoasa/CONTEXT-B(config-if)# no shutdown
ciscoasa/CONTEXT-B(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ciscoasa/CONTEXT-B(config-if)# interface intg1
ciscoasa/CONTEXT-B(config-if)# ip address 209.165.200.1 255.255.255.0
ERROR: This address conflicts with another address on net
ciscoasa/CONTEXT-B(config-if)# ip address 209.165.200.2 255.255.255.0
ciscoasa/CONTEXT-B(config-if)# no shutdown
ciscoasa/CONTEXT-B(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
ciscoasa(config-ctx)# config-url disk0:/CONTEXT-B.cfg
WARNING: Could not fetch the URL disk0:/CONTEXT-B.cfg
INFO: Creating context with default config
ciscoasa(config-ctx)# exit
ciscoasa(config)# admin-context ?
configure mode commands/options:
WORD Name of administrative context
ciscoasa(config)# admin-context admin // ASSIGN ADMIN CONTEXT AS "ADMIN" FOR REMOTE MANAGEMENT
ciscoasa(config)# context admin
ciscoasa(config-ctx)# config-url disk0:/admin.cfg
Cryptochecksum (changed): d9951253 3b82d2ce 840166f8 ccd3d7f1
INFO: Context admin was created with URL disk0:/admin.cfg
INFO: Admin context will take some time to come up .... please wait.
ciscoasa(config-ctx)# allocate-interface gigabitethernet0 intg0
ciscoasa(config-ctx)# allocate-interface gigabitethernet1 intg1
ciscoasa(config-ctx)# end
ciscoasa# changeto ?
context Change to context
system Change to system space
ciscoasa# changeto context ?
WORD Context name
ciscoasa# changeto context admin
ciscoasa/admin# configure terminal
ciscoasa/admin(config)# interface intg0
ciscoasa/admin(config-if)# ip address 10.1.1.1 255.255.255.0
ciscoasa/admin(config-if)# no shutdown
ciscoasa/admin(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ciscoasa/admin(config-if)# exit
ciscoasa/admin(config)# http server enable
ciscoasa/admin(config)# http 0 0 inside // HTTPS/ASDM ACCESS FROM ANY IP SOURCE COMING FROM THE INSIDE INTERFACE
ciscoasa/admin(config)#end
Here are some important limitations regarding virtual firewalls on a Cisco ASA:
* Key features that are unsupported on a Cisco ASA in multiple mode are dynamic routing protocols, IPsec and SSL VPNs, multicast IP routing, threat detection, and Phone Proxy.
* The Cisco ASA 5505 does not support multiple mode. (This personally frustrates me).
* The number of Security Contexts you can create depends on the software licenses and the Cisco ASA hardware model used.
I had a discussion with our core design engineer and he mentioned that we should be able to run IPsec site-to-site VPNs on context-based firewalls. And sure enough after doing some research, Cisco has finally released a code to support this feature.
As of ASA code 9.0+, there's been an enhancement to support some of these features especially on Multi-Context VPN. Refer to useful links:
http://sevenlayers.wordpress.com/2012/09/13/cisco-multi-conext-vpn-is-finally-here-in-asa-release-9-0-a-few-years-too-late/
http://www.cisco.com/c/en/us/products/collateral/security/adaptive-security-appliance-asa-software/data_sheet_c78-714849.html
Configuration Tasks
Here is an overview for the configuration of virtual firewalls on the Cisco ASA.
Step 1: Enable multiple mode on the Cisco ASA.
Step 2: Create a Security Context.
Step 3: Allocate interfaces to the context.
Step 4: Specify the startup configuration location for the context.
Step 5: Configure the Security Context resource management.
Step 6: Configure each Security Context as a separate security appliance.
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 100 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
Security Contexts : 2 perpetual // EXCLUDES SYSTEM AND ADMIN CONTEXT
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 5000 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 5000 perpetual
Total VPN Peers : 0 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
This platform has an ASA 5520 VPN Plus license.
ciscoasa# configure terminal
ciscoasa(config)# mode ?
configure mode commands/options:
multiple Multiple mode; mode with security contexts
noconfirm Do not prompt for confirmation
single Single mode; mode without security contexts
ciscoasa(config)# mode multiple
WARNING: This command will change the behavior of the device
WARNING: This command will initiate a Reboot
Proceed with change mode? [confirm]
Convert the system configuration? [confirm]
!
The old running configuration file will be written to flash
Converting the configuration - this may take several minutes for a large configuration
The admin context configuration will be written to flash
The new running configuration file was written to flash
Security context mode: multiple
***
*** --- SHUTDOWN NOW ---
***
*** Message to all terminals:
***
*** change mode
REBOOT: open message queue fail: No such file or directory/2
REBOOT: enforce reboot...
Restarting system.
machine restart
<OUTPUT TRUNCATED>
ciscoasa# configure terminal
ciscoasa(config)# interface gigabitethernet0 // WE UNSHUT MAIN INTERFACES IN SYSTEM CONTEXT
ciscoasa(config-if)# ?
Interface configuration commands:
channel-group Etherchannel/port bundling configuration
default Set a command to its defaults
description Interface specific description
exit Exit from interface configuration mode
help Interactive help for interface subcommands
lacp LACP interface subcommands
no Negate a command or set its defaults
shutdown Shutdown the selected interface
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# interface gigabitethernet1
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# exit
ciscoasa(config)# context ?
configure mode commands/options:
WORD Symbolic name of the context
ciscoasa(config)# context CONTEXT-A
Creating context 'CONTEXT-A'... Done. (2)
ciscoasa(config-ctx)# ?
Context configuration commands:
allocate-interface Allocate interface to context
allocate-ips Allocate IPS virtual sensor to context
config-url Configure URL for a context configuration
description Provide a description of the context
exit Exit from context configuration mode
help Interactive help for context subcommands
join-failover-group Join a context to a failover group
member Configure class membership for a context
no Negate a command
ciscoasa(config-ctx)# allocate-interface ?
context mode commands/options:
WORD Indicate interfaces assigned to the context
ciscoasa(config-ctx)# allocate-interface gigabitethernet0 ?
context mode commands/options:
WORD Optional interface name mapping for the context
invisible Optional flag for hiding hardware property in context (default)
visible Optional flag for publishing hardware property in context
<cr>
ciscoasa(config-ctx)# allocate-interface gigabitethernet0 intg0
ciscoasa(config-ctx)# allocate-interface gigabitethernet1 intg1
ciscoasa(config-ctx)# config-url ?
context mode commands/options:
disk0: A URL beginning with this prefix for the context's config (file need
not exist)
flash: A URL beginning with this prefix for the context's config (file need
not exist)
ftp: A URL beginning with this prefix for the context's config (file need
not exist)
http: A URL beginning with this prefix for the context's config (file need
not exist)
https: A URL beginning with this prefix for the context's config (file need
not exist)
smb: A URL beginning with this prefix for the context's config (file need
not exist)
tftp: A URL beginning with this prefix for the context's config (file need
not exist)
ciscoasa(config-ctx)# config-url disk0:/CONTEXT-A.cfg
WARNING: Could not fetch the URL disk0:/CONTEXT-A.cfg
INFO: Creating context with default config
ciscoasa/CONTEXT-A(config)# interface intg0
ciscoasa/CONTEXT-A(config-if)# ip address 192.168.1.1 255.255.255.0
ciscoasa/CONTEXT-A(config-if)# no shutdown
ciscoasa/CONTEXT-A(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ciscoasa/CONTEXT-A(config-if)# interface intg1
ciscoasa/CONTEXT-A(config-if)# ip address 209.165.200.1 255.255.255.0
ciscoasa/CONTEXT-A(config-if)# no shutdown
ciscoasa/CONTEXT-A(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
ciscoasa(config-ctx)# exit
ciscoasa(config)# context CONTEXT-B
Creating context 'CONTEXT-B'... Done. (3)
ciscoasa(config-ctx)# allocate-interface gigabitethernet0 intg0
ciscoasa(config-ctx)# allocate-interface gigabitethernet1 intg1
ciscoasa/CONTEXT-B(config)# interface intg0
ciscoasa/CONTEXT-B(config-if)# ip address 172.16.1.1 255.255.255.0
ciscoasa/CONTEXT-B(config-if)# no shutdown
ciscoasa/CONTEXT-B(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ciscoasa/CONTEXT-B(config-if)# interface intg1
ciscoasa/CONTEXT-B(config-if)# ip address 209.165.200.1 255.255.255.0
ERROR: This address conflicts with another address on net
ciscoasa/CONTEXT-B(config-if)# ip address 209.165.200.2 255.255.255.0
ciscoasa/CONTEXT-B(config-if)# no shutdown
ciscoasa/CONTEXT-B(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
ciscoasa(config-ctx)# config-url disk0:/CONTEXT-B.cfg
WARNING: Could not fetch the URL disk0:/CONTEXT-B.cfg
INFO: Creating context with default config
ciscoasa(config-ctx)# exit
ciscoasa(config)# admin-context ?
configure mode commands/options:
WORD Name of administrative context
ciscoasa(config)# admin-context admin // ASSIGN ADMIN CONTEXT AS "ADMIN" FOR REMOTE MANAGEMENT
ciscoasa(config)# context admin
ciscoasa(config-ctx)# config-url disk0:/admin.cfg
Cryptochecksum (changed): d9951253 3b82d2ce 840166f8 ccd3d7f1
INFO: Context admin was created with URL disk0:/admin.cfg
INFO: Admin context will take some time to come up .... please wait.
ciscoasa(config-ctx)# allocate-interface gigabitethernet0 intg0
ciscoasa(config-ctx)# allocate-interface gigabitethernet1 intg1
ciscoasa(config-ctx)# end
ciscoasa# changeto ?
context Change to context
system Change to system space
ciscoasa# changeto context ?
WORD Context name
ciscoasa# changeto context admin
ciscoasa/admin# configure terminal
ciscoasa/admin(config)# interface intg0
ciscoasa/admin(config-if)# ip address 10.1.1.1 255.255.255.0
ciscoasa/admin(config-if)# no shutdown
ciscoasa/admin(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ciscoasa/admin(config-if)# exit
ciscoasa/admin(config)# http server enable
ciscoasa/admin(config)# http 0 0 inside // HTTPS/ASDM ACCESS FROM ANY IP SOURCE COMING FROM THE INSIDE INTERFACE
ciscoasa/admin(config)#end
Saturday, October 12, 2013
Configuring Access Control List (ACL) on an ASA
The access control list (ACL) is the very heart of every ASA device. The ASA provides an administrator with a full-featured set of access control methods, allowing access between network segments to be tightly controlled.
You can configure an interface access rules in the CLI by using the access-list command. ACLs are made up of one or more access control entries (ACE), each represented by one line in the ACL, that specifying a permit or deny rule, or remark.
ciscoasa(config)# access-list ?
configure mode commands/options:
WORD < 241 char Access list identifier
alert-interval Specify the alert interval for generating syslog message
106001 which alerts that the system has reached a deny flow
maximum. If not specified, the default value is 300 sec
deny-flow-max Specify the maximum number of concurrent deny flows that can
be created. If not specified, the default value is 4096
ciscoasa(config)# access-list INSIDE-IN ?
configure mode commands/options:
deny Specify packets to reject
extended Configure access policy for IP traffic through the system
line Use this to specify line number at which ACE should be entered
permit Specify packets to forward
remark Specify a comment (remark) for the access-list after this keyword
rename rename an existing access-list
standard Use this to configure policy having destination host or network
only
webtype Use this to configure WebVPN related policy
ciscoasa(config)# access-list INSIDE-IN line 1 ?
configure mode commands/options:
deny Specify packets to reject
extended Configure access policy for IP traffic through the system
permit Specify packets to forward
remark Specify a comment (remark) for the access-list after this keyword
ciscoasa(config)# access-list INSIDE-IN line 1 extended ?
configure mode commands/options:
deny Specify packets to reject
permit Specify packets to forward
ciscoasa(config)# access-list INSIDE-IN line 1 extended permit ?
configure mode commands/options:
<0-255> Enter protocol number (0 - 255)
ah
eigrp
esp
gre
icmp
icmp6
igmp
igrp
ip
ipinip
ipsec
nos
object Specify a service object after this keyword
object-group Specify a service or protocol object-group after this keyword
ospf
pcp
pim
pptp
snp
tcp
udp
ciscoasa(config)# access-list INSIDE-IN line 1 extended permit tcp ?
configure mode commands/options:
A.B.C.D Source IP address
any Abbreviation for source address and mask of 0.0.0.0
0.0.0.0
host Use this keyword to configure source host
interface Use interface address as source address
object Keyword to enter source object name
object-group Network object-group for source address
object-group-user User object-group for source address
user User for source address [<domain_nickname>\]<user_name>
user-group User-group for source address
[<domain_nickname>\\]<user_group_name>
ciscoasa(config)# access-list INSIDE-IN line 1 extended permit tcp 10.0.0.0 ?
configure mode commands/options:
A.B.C.D Netmask for source IP address
ciscoasa(config)# access-list INSIDE-IN line 1 extended permit tcp 10.0.0.0 255.255.255.0 ?
configure mode commands/options:
A.B.C.D Destination IP address
any Abbreviation for destination address and mask of 0.0.0.0
0.0.0.0
eq Port equal to operator
gt Port greater than operator
host Use this keyword to configure destination host
interface Use interface address as destination address
lt Port less than operator
neq Port not equal to operator
object Keyword to enter destination object name
object-group Optional service object-group name for source port or network
object-group for destination address
range Port range operator
ciscoasa(config)# access-list INSIDE-IN line 1 extended permit tcp 10.0.0.0 255.255.255.0 any ?
configure mode commands/options:
eq Port equal to operator
gt Port greater than operator
inactive Keyword for disabling an ACL element
log Keyword for enabling log option on this ACL element
lt Port less than operator
neq Port not equal to operator
object-group Optional service object-group for destination port
range Port range operator
time-range Keyword for attaching time-range option to this ACL element
<cr>
ciscoasa(config)# access-list INSIDE-IN line 1 extended permit tcp 10.0.0.0 255.255.255.0 any eq ?
configure mode commands/options:
<1-65535> Enter port number (1 - 65535)
aol
bgp
chargen
cifs
citrix-ica
cmd
ctiqbe
daytime
discard
domain
echo
exec
finger
ftp
ftp-data
gopher
h323
hostname
http
https
ident
imap4
ciscoasa(config)# access-list INSIDE-IN line 1 extended permit tcp 10.0.0.0 255.255.255.0 any eq http
ciscoasa(config)# access-list OUTSIDE-IN line 2 remark EXPLICIT DENY ALL RULE
ciscoasa(config)# access-list OUTSIDE-IN line 3 extended deny ip any any ?
configure mode commands/options:
inactive Keyword for disabling an ACL element
log Keyword for enabling log option on this ACL element
time-range Keyword for attaching time-range option to this ACL element
<cr>
ciscoasa(config)# access-list OUTSIDE-IN line 3 extended deny ip any any log ?
configure mode commands/options:
<0-7> Enter syslog level (0 - 7)
Default Keyword for restoring default log behavior
alerts Immediate action needed (severity=1)
critical Critical conditions (severity=2)
debugging Debugging messages (severity=7)
disable Disable log option on this ACL element, (no log at all)
emergencies System is unusable (severity=0)
errors Error conditions (severity=3)
inactive Keyword for disabling an ACL element
informational Informational messages (severity=6)
interval Configure log interval, default value is 300 sec
notifications Normal but significant conditions (severity=5)
time-range Keyword for attaching time-range option to this ACL element
warnings Warning conditions (severity=4)
<cr>
ciscoasa(config)# access-list OUTSIDE-IN line 3 extended deny ip any any log 4 ?
configure mode commands/options:
inactive Keyword for disabling an ACL element
interval Configure log interval, default value is 300 sec
time-range Keyword for attaching time-range option to this ACL element
<cr>
ciscoasa(config)# access-list OUTSIDE-IN line 3 extended deny ip any any log 4 interval 300
ciscoasa(config)# object network TIME.NIST.GOV
ciscoasa(config-network-object)# host 192.43.244.18
ciscoasa(config-network-object)# exit
ciscoasa(config)# access-list GLOBAL-ACL line 1 extended permit udp any object TIME.NIST.GOV eq ntp log ?
configure mode commands/options:
<0-7> Enter syslog level (0 - 7)
Default Keyword for restoring default log behavior
alerts Immediate action needed (severity=1)
critical Critical conditions (severity=2)
debugging Debugging messages (severity=7)
disable Disable log option on this ACL element, (no log at all)
emergencies System is unusable (severity=0)
errors Error conditions (severity=3)
inactive Keyword for disabling an ACL element
informational Informational messages (severity=6)
interval Configure log interval, default value is 300 sec
notifications Normal but significant conditions (severity=5)
time-range Keyword for attaching time-range option to this ACL element
warnings Warning conditions (severity=4)
<cr>
ciscoasa(config)# access-list GLOBAL-ACL line 1 extended permit udp any object TIME.NIST.GOV eq ntp log disable
ciscoasa(config)# access-group ?
configure mode commands/options:
WORD Specify the name of an access-list
ciscoasa(config)# access-group INSIDE-IN ?
configure mode commands/options:
global For traffic on all interfaces
in For input traffic
out For output traffic
<cr>
ciscoasa(config)# access-group INSIDE-IN in ?
configure mode commands/options:
interface Keyword to specify an interface
ciscoasa(config)# access-group INSIDE-IN in interface ?
configure mode commands/options:
Current available interface(s):
dmz Name of interface GigabitEthernet1
inside Name of interface GigabitEthernet0
outside Name of interface GigabitEthernet2
ciscoasa(config)# access-group INSIDE-IN in interface inside
ciscoasa(config)# access-group OUTSIDE-IN in interface outside
ciscoasa(config)# access-group GLOBAL-ACL global
The ASDM Access Rules table contains several features that enable you to quickly and efficiently manage it.
From the menu, you can choose to add, insert, edit or delete an access rule. You can also easily copy (clone) a rule, for instance, when you add another web server. Just clone the existing web server rule, and then edit it to change the destination IP address.
You can change the order of rules, using either the cut/copy and paste options or the move up/down arrows. Remember that access rules are evaluated in order and positioning of the rule is critical to its functionality.
You can also clear the hit counter for a specific rule (right-click menu) or all access rules (button on the toolbar), which is commonly required during troubleshooting. You can also show log messages generated by a chosen rule (right-click menu) or by all access rules (button on the toolbar). Additionally from the right-click menu, you can export the contents of the Access Rules table to a comma-separated value (CSV) format file.
You can edit a rule in place (rather than opening the Edit Access Rule dialog box) and alter the contents within the Access Rules window. Rules can also be temporarily disabled and if you want to permanently remove a rule, simply delete it.
You can configure an interface access rules in the CLI by using the access-list command. ACLs are made up of one or more access control entries (ACE), each represented by one line in the ACL, that specifying a permit or deny rule, or remark.
ciscoasa(config)# access-list ?
configure mode commands/options:
WORD < 241 char Access list identifier
alert-interval Specify the alert interval for generating syslog message
106001 which alerts that the system has reached a deny flow
maximum. If not specified, the default value is 300 sec
deny-flow-max Specify the maximum number of concurrent deny flows that can
be created. If not specified, the default value is 4096
ciscoasa(config)# access-list INSIDE-IN ?
configure mode commands/options:
deny Specify packets to reject
extended Configure access policy for IP traffic through the system
line Use this to specify line number at which ACE should be entered
permit Specify packets to forward
remark Specify a comment (remark) for the access-list after this keyword
rename rename an existing access-list
standard Use this to configure policy having destination host or network
only
webtype Use this to configure WebVPN related policy
ciscoasa(config)# access-list INSIDE-IN line 1 ?
configure mode commands/options:
deny Specify packets to reject
extended Configure access policy for IP traffic through the system
permit Specify packets to forward
remark Specify a comment (remark) for the access-list after this keyword
ciscoasa(config)# access-list INSIDE-IN line 1 extended ?
configure mode commands/options:
deny Specify packets to reject
permit Specify packets to forward
ciscoasa(config)# access-list INSIDE-IN line 1 extended permit ?
configure mode commands/options:
<0-255> Enter protocol number (0 - 255)
ah
eigrp
esp
gre
icmp
icmp6
igmp
igrp
ip
ipinip
ipsec
nos
object Specify a service object after this keyword
object-group Specify a service or protocol object-group after this keyword
ospf
pcp
pim
pptp
snp
tcp
udp
ciscoasa(config)# access-list INSIDE-IN line 1 extended permit tcp ?
configure mode commands/options:
A.B.C.D Source IP address
any Abbreviation for source address and mask of 0.0.0.0
0.0.0.0
host Use this keyword to configure source host
interface Use interface address as source address
object Keyword to enter source object name
object-group Network object-group for source address
object-group-user User object-group for source address
user User for source address [<domain_nickname>\]<user_name>
user-group User-group for source address
[<domain_nickname>\\]<user_group_name>
ciscoasa(config)# access-list INSIDE-IN line 1 extended permit tcp 10.0.0.0 ?
configure mode commands/options:
A.B.C.D Netmask for source IP address
ciscoasa(config)# access-list INSIDE-IN line 1 extended permit tcp 10.0.0.0 255.255.255.0 ?
configure mode commands/options:
A.B.C.D Destination IP address
any Abbreviation for destination address and mask of 0.0.0.0
0.0.0.0
eq Port equal to operator
gt Port greater than operator
host Use this keyword to configure destination host
interface Use interface address as destination address
lt Port less than operator
neq Port not equal to operator
object Keyword to enter destination object name
object-group Optional service object-group name for source port or network
object-group for destination address
range Port range operator
ciscoasa(config)# access-list INSIDE-IN line 1 extended permit tcp 10.0.0.0 255.255.255.0 any ?
configure mode commands/options:
eq Port equal to operator
gt Port greater than operator
inactive Keyword for disabling an ACL element
log Keyword for enabling log option on this ACL element
lt Port less than operator
neq Port not equal to operator
object-group Optional service object-group for destination port
range Port range operator
time-range Keyword for attaching time-range option to this ACL element
<cr>
ciscoasa(config)# access-list INSIDE-IN line 1 extended permit tcp 10.0.0.0 255.255.255.0 any eq ?
configure mode commands/options:
<1-65535> Enter port number (1 - 65535)
aol
bgp
chargen
cifs
citrix-ica
cmd
ctiqbe
daytime
discard
domain
echo
exec
finger
ftp
ftp-data
gopher
h323
hostname
http
https
ident
imap4
ciscoasa(config)# access-list INSIDE-IN line 1 extended permit tcp 10.0.0.0 255.255.255.0 any eq http
ciscoasa(config)# access-list OUTSIDE-IN line 2 remark EXPLICIT DENY ALL RULE
ciscoasa(config)# access-list OUTSIDE-IN line 3 extended deny ip any any ?
configure mode commands/options:
inactive Keyword for disabling an ACL element
log Keyword for enabling log option on this ACL element
time-range Keyword for attaching time-range option to this ACL element
<cr>
ciscoasa(config)# access-list OUTSIDE-IN line 3 extended deny ip any any log ?
configure mode commands/options:
<0-7> Enter syslog level (0 - 7)
Default Keyword for restoring default log behavior
alerts Immediate action needed (severity=1)
critical Critical conditions (severity=2)
debugging Debugging messages (severity=7)
disable Disable log option on this ACL element, (no log at all)
emergencies System is unusable (severity=0)
errors Error conditions (severity=3)
inactive Keyword for disabling an ACL element
informational Informational messages (severity=6)
interval Configure log interval, default value is 300 sec
notifications Normal but significant conditions (severity=5)
time-range Keyword for attaching time-range option to this ACL element
warnings Warning conditions (severity=4)
<cr>
ciscoasa(config)# access-list OUTSIDE-IN line 3 extended deny ip any any log 4 ?
configure mode commands/options:
inactive Keyword for disabling an ACL element
interval Configure log interval, default value is 300 sec
time-range Keyword for attaching time-range option to this ACL element
<cr>
ciscoasa(config)# access-list OUTSIDE-IN line 3 extended deny ip any any log 4 interval 300
ciscoasa(config)# object network TIME.NIST.GOV
ciscoasa(config-network-object)# host 192.43.244.18
ciscoasa(config-network-object)# exit
ciscoasa(config)# access-list GLOBAL-ACL line 1 extended permit udp any object TIME.NIST.GOV eq ntp log ?
configure mode commands/options:
<0-7> Enter syslog level (0 - 7)
Default Keyword for restoring default log behavior
alerts Immediate action needed (severity=1)
critical Critical conditions (severity=2)
debugging Debugging messages (severity=7)
disable Disable log option on this ACL element, (no log at all)
emergencies System is unusable (severity=0)
errors Error conditions (severity=3)
inactive Keyword for disabling an ACL element
informational Informational messages (severity=6)
interval Configure log interval, default value is 300 sec
notifications Normal but significant conditions (severity=5)
time-range Keyword for attaching time-range option to this ACL element
warnings Warning conditions (severity=4)
<cr>
ciscoasa(config)# access-list GLOBAL-ACL line 1 extended permit udp any object TIME.NIST.GOV eq ntp log disable
ciscoasa(config)# access-group ?
configure mode commands/options:
WORD Specify the name of an access-list
ciscoasa(config)# access-group INSIDE-IN ?
configure mode commands/options:
global For traffic on all interfaces
in For input traffic
out For output traffic
<cr>
ciscoasa(config)# access-group INSIDE-IN in ?
configure mode commands/options:
interface Keyword to specify an interface
ciscoasa(config)# access-group INSIDE-IN in interface ?
configure mode commands/options:
Current available interface(s):
dmz Name of interface GigabitEthernet1
inside Name of interface GigabitEthernet0
outside Name of interface GigabitEthernet2
ciscoasa(config)# access-group INSIDE-IN in interface inside
ciscoasa(config)# access-group OUTSIDE-IN in interface outside
ciscoasa(config)# access-group GLOBAL-ACL global
The ASDM Access Rules table contains several features that enable you to quickly and efficiently manage it.
From the menu, you can choose to add, insert, edit or delete an access rule. You can also easily copy (clone) a rule, for instance, when you add another web server. Just clone the existing web server rule, and then edit it to change the destination IP address.
You can change the order of rules, using either the cut/copy and paste options or the move up/down arrows. Remember that access rules are evaluated in order and positioning of the rule is critical to its functionality.
You can also clear the hit counter for a specific rule (right-click menu) or all access rules (button on the toolbar), which is commonly required during troubleshooting. You can also show log messages generated by a chosen rule (right-click menu) or by all access rules (button on the toolbar). Additionally from the right-click menu, you can export the contents of the Access Rules table to a comma-separated value (CSV) format file.
You can edit a rule in place (rather than opening the Edit Access Rule dialog box) and alter the contents within the Access Rules window. Rules can also be temporarily disabled and if you want to permanently remove a rule, simply delete it.
Saturday, October 5, 2013
New NAT Options in IOS Versions 8.3 and Later
* One significant change in NAT with software versions 8.3 and higher is that NAT control (enforcing use of NAT) is no longer a supported.
* The implementation of NAT is done through the use of network objects (hence, "object-oriented")
* There is now an "any" option that can be used when defining ingress and egress interfaces in the NAT configuration.
* You can configure translations as part of network object definitions, which are added to configuration. This is known as "Auto NAT," which reduces complex configuration when only one translation policy is required for a host.
* You can configure a single NAT rule that will translate both the source and destination addresses in a packet. This is known as "Manual NAT" or "Twice NAT," because NAT can be performed twice - once on the source IP and the other on the destination IP.
* NAT rules can be defined as unidirectional, meaning only traffic sourced from a defined object can use the translation. Connections toward the object must match a different NAT rule, or they will not be translated.
In this scenario, we have two application servers on the DMZ interface that require access from the Internet. A web server with native (local) IP address 172.16.0.5 and an FTP server with native IP address 172.16.0.10. The web server will use translated (global) IP address 209.165.200.228 when communicating with the outside interface (the Internet), and the FTP server will use translated IP address 209.165.200.229.
ciscoasa(config)# object ?
configure mode commands/options:
network Specifies a host, subnet or range IP addresses
service Specifies a protocol/port
ciscoasa(config)# object network ?
configure mode commands/options:
WORD < 65 char Specifies object ID (1-64 characters)
ciscoasa(config)# object network DMZ-FTP-PUB
ciscoasa(config-network-object)# ?
description Specify description text
fqdn Enter this keyword to specify an FQDN
help Help for network object configuration commands
host Enter this keyword to specify a single host object
nat Enable NAT on a singleton object
no Remove an object or description from object
range Enter this keyword to specify a range
subnet Enter this keyword to specify a subnet
ciscoasa(config-network-object)# host ?
network-object mode commands/options:
A.B.C.D Enter a host IP address
X:X:X:X::X Enter a host IPV6 address
ciscoasa(config-network-object)# host 209.165.200.229
ciscoasa(config-network-object)# exit
ciscoasa(config)# object network DMZ-FTP-PRIV
ciscoasa(config-network-object)# host 172.16.0.10
ciscoasa(config-network-object)# nat ?
network-object mode commands/options:
( Open parenthesis for (<real_if_name>,<mapped_if_name>) pair where
<real_if_name> is the prenat interface and <mapped_if_name> is the
postnat interface
dynamic Specify NAT type as dynamic
static Specify NAT type as static
configure mode commands/options:
( Open parenthesis for (<internal_if_name>,<external_if_name>)
pair where <internal_if_name> is the Internal or prenat
interface and <external_if_name> is the External or postnat
interface
<1-2147483647> Position of NAT rule within before auto section
after-auto Insert NAT rule after auto section
source Source NAT parameters
ciscoasa(config-network-object)# nat (?
network-object mode commands/options:
Current available interface(s):
DMZ Name of interface GigabitEthernet1
any Global address space
inside Name of interface GigabitEthernet0
outside Name of interface GigabitEthernet2
configure mode commands/options:
Current available interface(s):
DMZ Name of interface GigabitEthernet1
any Global address space
inside Name of interface GigabitEthernet0
outside Name of interface GigabitEthernet2
ciscoasa(config-network-object)# nat (DMZ,outside) ?
network-object mode commands/options:
dynamic Specify NAT type as dynamic
static Specify NAT type as static
configure mode commands/options:
<1-2147483647> Position of NAT rule within before auto section
after-auto Insert NAT rule after auto section
source Source NAT parameters
ciscoasa(config-network-object)# nat (DMZ,outside) static ?
network-object mode commands/options:
A.B.C.D Mapped IP address
WORD Mapped network object/object-group name
interface Use interface address as mapped IP
ciscoasa(config-network-object)# nat (DMZ,outside) static DMZ-FTP-PUB
ciscoasa(config-network-object)# exit
ciscoasa(config)# object network DMZ-WEB-PUB
ciscoasa(config-network-object)# host 209.165.200.228
ciscoasa(config-network-object)# exit
ciscoasa(config)# object network DMZ-WEB-PRIV
ciscoasa(config-network-object)# host 172.16.0.5
ciscoasa(config-network-object)# nat (DMZ,outside) static DMZ-WEB-PUB
* The implementation of NAT is done through the use of network objects (hence, "object-oriented")
* There is now an "any" option that can be used when defining ingress and egress interfaces in the NAT configuration.
* You can configure translations as part of network object definitions, which are added to configuration. This is known as "Auto NAT," which reduces complex configuration when only one translation policy is required for a host.
* You can configure a single NAT rule that will translate both the source and destination addresses in a packet. This is known as "Manual NAT" or "Twice NAT," because NAT can be performed twice - once on the source IP and the other on the destination IP.
* NAT rules can be defined as unidirectional, meaning only traffic sourced from a defined object can use the translation. Connections toward the object must match a different NAT rule, or they will not be translated.
In this scenario, we have two application servers on the DMZ interface that require access from the Internet. A web server with native (local) IP address 172.16.0.5 and an FTP server with native IP address 172.16.0.10. The web server will use translated (global) IP address 209.165.200.228 when communicating with the outside interface (the Internet), and the FTP server will use translated IP address 209.165.200.229.
ciscoasa(config)# object ?
configure mode commands/options:
network Specifies a host, subnet or range IP addresses
service Specifies a protocol/port
ciscoasa(config)# object network ?
configure mode commands/options:
WORD < 65 char Specifies object ID (1-64 characters)
ciscoasa(config)# object network DMZ-FTP-PUB
ciscoasa(config-network-object)# ?
description Specify description text
fqdn Enter this keyword to specify an FQDN
help Help for network object configuration commands
host Enter this keyword to specify a single host object
nat Enable NAT on a singleton object
no Remove an object or description from object
range Enter this keyword to specify a range
subnet Enter this keyword to specify a subnet
ciscoasa(config-network-object)# host ?
network-object mode commands/options:
A.B.C.D Enter a host IP address
X:X:X:X::X Enter a host IPV6 address
ciscoasa(config-network-object)# host 209.165.200.229
ciscoasa(config-network-object)# exit
ciscoasa(config)# object network DMZ-FTP-PRIV
ciscoasa(config-network-object)# host 172.16.0.10
ciscoasa(config-network-object)# nat ?
network-object mode commands/options:
( Open parenthesis for (<real_if_name>,<mapped_if_name>) pair where
<real_if_name> is the prenat interface and <mapped_if_name> is the
postnat interface
dynamic Specify NAT type as dynamic
static Specify NAT type as static
configure mode commands/options:
( Open parenthesis for (<internal_if_name>,<external_if_name>)
pair where <internal_if_name> is the Internal or prenat
interface and <external_if_name> is the External or postnat
interface
<1-2147483647> Position of NAT rule within before auto section
after-auto Insert NAT rule after auto section
source Source NAT parameters
ciscoasa(config-network-object)# nat (?
network-object mode commands/options:
Current available interface(s):
DMZ Name of interface GigabitEthernet1
any Global address space
inside Name of interface GigabitEthernet0
outside Name of interface GigabitEthernet2
configure mode commands/options:
Current available interface(s):
DMZ Name of interface GigabitEthernet1
any Global address space
inside Name of interface GigabitEthernet0
outside Name of interface GigabitEthernet2
ciscoasa(config-network-object)# nat (DMZ,outside) ?
network-object mode commands/options:
dynamic Specify NAT type as dynamic
static Specify NAT type as static
configure mode commands/options:
<1-2147483647> Position of NAT rule within before auto section
after-auto Insert NAT rule after auto section
source Source NAT parameters
ciscoasa(config-network-object)# nat (DMZ,outside) static ?
network-object mode commands/options:
A.B.C.D Mapped IP address
WORD Mapped network object/object-group name
interface Use interface address as mapped IP
ciscoasa(config-network-object)# nat (DMZ,outside) static DMZ-FTP-PUB
ciscoasa(config-network-object)# exit
ciscoasa(config)# object network DMZ-WEB-PUB
ciscoasa(config-network-object)# host 209.165.200.228
ciscoasa(config-network-object)# exit
ciscoasa(config)# object network DMZ-WEB-PRIV
ciscoasa(config-network-object)# host 172.16.0.5
ciscoasa(config-network-object)# nat (DMZ,outside) static DMZ-WEB-PUB