Configuring ASA on GNS3-allow ICMP traffic

Posted: July 31, 2015 in CISCO

Cisco ASA (Adaptive Security Appliance) is a security device that combines firewall, antivirus, intrusion prevention, and virtual private network (VPN) capabilities. An ASA can be used as a security solution for both small and large networks.

By default,ASA doesn’t allow ICMP from inside to outside interface.

Inside interface is connected to internal network,and outside interface to public network.

Interfaces have associated security levels It’s  numeric value, ranging from 0 to 100, used by the ASA to control traffic flow.  Traffic is permitted from interfaces with higher security levels to interfaces with lower security levels, but not the opposite.  We use Access-lists to permit traffic from lower security levels to higher security levels.  The default security level for an outside interface is 0.  For an inside interface, the default security level is 100.If we need to publish services to the internet the we would use another interface named DMZ (demilitarized zone) with default security level of 50

Untitled

In this example inside interface has IP address of 192.168.2.2 and outside 209.165.200.226.We’ll configure ASA to alow ping from client1 to the internet,we’ll also configure NAT on ASA,so when client access to the internet,from the outside perspective it would appear as if traffic comes from ASA’s outside interface.

R1 configuration

See https://zarzyc.wordpress.com/2014/09/04/connecting-the-gns3-to-real-network-device/ for connecting GNS3 router to the internet

R1(config)#int fa0/0
R1(config-if)#no shut
R1(config-if)#ip address dhcp
R1(config-if)#ip nat outside
R1(config-if)#int s1/0
R1(config-if)#ip address 10.1.1.2 255.255.255.0
R1(config-if)#no shut
R1(config-if)#ip nat inside
R1(config)#ip route 0.0.0.0 0.0.0.0 192.168.0.1  !DG for my laptop physical NIC
R1(config)#router eigrp 20
R1(config-router)#network 10.1.1.0 0.0.0.255
R1(config-router)#no auto-summary
R1(config-router)#redistribute static  !advertise route to the internet to all EIGRP neighbors
R1(config)#access-list 3 permit 192.168.3.0 0.0.0.255   !network where client resides
R1(config)#access-list 4 permit 209.165.200.0 0.0.0.255 !asa outside network
R1(config)#access-list 5 permit 192.168.2.0 0.0.0.255   !asa inside network
R1(config)#ip nat inside source list 3 interface FastEthernet0/0 overload !nat rules
R1(config)#ip nat inside source list 4 interface FastEthernet0/0 overload
R1(config)#ip nat inside source list 5 interface FastEthernet0/0 overload

 R2 config

interface Serial1/0
ip address 10.1.1.1 255.255.255.0
interface FastEthernet0/0
ip address 209.165.200.225 255.255.255.248
router eigrp 20 
network 10.1.1.0 0.0.0.255
network 209.165.200.0
no auto-summary

ASA config

!interface to the internet

ciscoasa# config t
ciscoasa(config)# int g0
ciscoasa(config-if)# ip address 209.165.200.226 255.255.255.248
ciscoasa(config-if)# nameif outside

!interface to the inside network

ciscoasa# config t
ciscoasa(config)# int g1
ciscoasa(config-if)# ip address 192.168.2.2 255.255.255.0
ciscoasa(config-if)# nameif inside

!for asa,we must use real net mask,no wildcard mask
ciscoasa(config)# config t
ciscoasa(config)# router eigrp 20
ciscoasa(config-router)# network 209.165.200.0 255.255.255.0
ciscoasa(config-router)# network 192.168.2.0 255.255.255.0
ciscoasa(config-router)# no auto-summary

!create access lists to allow traffic from "inside" (192.168.3.0) to the internet (any),unlike !CISCO router and switches,for ASA access lists we must use real network masks

ciscoasa(config)#access-list 102 extended permit icmp 192.168.3.0 255.255.255.0 any echo
!echo reply comes from location we pinged (any) so we allowed ICMP reply from internet !(any) to our internal-"inside" network (192.168.3.0):
ciscoasa(config)#access-list 102 extended permit icmp any 192.168.3.0 255.255.255.0 echo-reply
!apply this ACL to the traffic flowing from the inside network IN to the outside interface
ciscoasa(config)#access-group 102 in interface outside

IN and OUT directions can be confusing :),for better understanding go to  http://www.virtxpert.com/ins-outs-of-cisco-asa-acls/

Alternativelly,we can use Modular Policy Framework (MPF) to enable ICMP traffic

A class map identifies traffic to which we want to apply actions (we created class map named icm-traffic-we can set any name we want):

ciscoasa(config)# class-map icmp-traffic

Default class map is called default-inspection-traffic.The “default_inspection_traffic” is all traffic that is predefined for various protocols,among them ICMP.

ciscoasa(config-cmap)# match ?

mpf-class-map mode commands/options:
access-list                 Match an Access List
any                         Match any packet
default-inspection-traffic  Match default inspection traffic:
ctiqbe----tcp--2748      dns-------udp--53
ftp-------tcp--21        gtp-------udp--2123,3386
h323-h225-tcp--1720      h323-ras--udp--1718-1719
http------tcp--80        icmp------icmp
ils-------tcp--389       ip-options-----rsvp
mgcp------udp--2427,2727 netbios---udp--137-138
radius-acct----udp--1646 rpc-------udp--111
rsh-------tcp--514       rtsp------tcp--554
sip-------tcp--5060      sip-------udp--5060
skinny----tcp--2000      smtp------tcp--25
sqlnet----tcp--1521      tftp------udp--69
waas------tcp--1-65535   xdmcp-----udp--177
dscp                        Match IP DSCP (DiffServ CodePoints)
flow                        Flow based Policy
port                        Match TCP/UDP port(s)
precedence                  Match IP precedence
rtp                         Match RTP port numbers
tunnel-group                Match a Tunnel Group

ciscoasa(config-cmap)# match default-inspection-traffic
ciscoasa(config-cmap)# exit

Associate actions with prevoiusly created class maps by creating a policy map named my-policy and inspect icmp traffic

ciscoasa(config)# policy-map my-policy
ciscoasa(config-pmap)# class icmp-traffic
ciscoasa(config-pmap-c)# inspect icmp
ciscoasa(config-pmap-c)# inspect icmp error
ciscoasa(config-pmap-c)#exit
ciscoasa(config-pmap)#exit

Finally,assign policy map to outside interface

ciscoasa(config)# service-policy my-policy interface outside

To summarize:

class-map:identifies the traffic (icmp in our case,defined in default-inspection-traffic)

policy-map:action to take on traffic specified in class map (inspect icmp)

service-policy:where to apply actions specified in policy map (outside interface)

Enable icmp debugging on ASA:

ciscoasa# debug icmp trace
debug icmp trace enabled at level 1

Ping 8.8.8.8 from the client and observer debugging output:

Untitled

On R1,see NAT table:

R1#sh ip nat translations
Pro Inside global                          Inside local                      Outside local                Outside global
tcp 192.168.137.63:1202       192.168.3.10:1202        2.22.213.235:80        2.22.213.235:80

From the inside perspective,trafic is originated from the client
Configuring NAT in ASA firewall

Create object network for internal network (192.168.3.0) named mynetwork:

ciscoasa(config)# object network mynetwork
ciscoasa(config-network-object)# subnet 192.168.3.0 255.255.255.0
ciscoasa(config-network-object)# nat (inside,outside) dynamic interface

Creates a NAT rule for traffic sourced from devices
from the inside (192.168.3.0) to the outside,translate the source address of the inside networ and substitute the source address of the outside interface of the ASA (209.165.200.226).Ping again internet from client1 and observe nat translation table

Pro Inside global                          Inside local                      Outside local            Outside global

icmp 192.168.137.63:10785   209.165.200.226:10785   8.8.8.8:10785         8.8.8.8:10785

Traffic from client1 (192.168.3.10) appears as if it’s from ASA server’s outside interface

Advertisements
Comments
  1. Thanks for the link back!

    Like

  2. Jairo Castro says:

    I don’t understand why I am unable to ping the outside interface from the router and vice-versa, I configured the policy and traffic inspection. 😦
    Any suggestion?

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s