SISTEMI E RETI

ASA Cisco

A cura dell’Ing. Claudio Traini

Adaptive Security Appliance

Adaptive Security Appliance

ASA 5505

ASA 5505

ASA 5505

ASA 5505

ASA 5505

ASA 5505

ASA 5505

ASA 5505

ASA 5505

ASA 5505

ASA 5505

ASA 5505

CONFIGURAZIONE DI RETE DELLA INSIDE NETWORK

ciscoasa(config)# interface vlan 1

ciscoasa(config-if)# ip address 192.168.1.1 255.255.255.0

ciscoasa(config-if)# no shutdown

ciscoasa(config-if)# nameif inside

ciscoasa(config-if)# security-level 100

ASA 5505

CONFIGURAZIONE DI RETE DELLA OUTSIDE NETWORK

ciscoasa(config)# interface vlan 2

ciscoasa(config-if)# ip address 10.10.10.2 255.255.255.252

ciscoasa(config-if)# no shutdown

ciscoasa(config-if)# nameif outside

ciscoasa(config-if)#s ecurity-level 0

ASA 5505

APPLICHIAMO LE CONFIGURAZIONI ALLE INTERFACCE

ciscoasa(config)# interface ethernet 0/0

ciscoasa(config-if)# switchport access vlan 1

ciscoasa(config)# interface ethernet 0/1

ciscoasa(config-if)# switchport access vlan 2

ASA 5505

ABILITIAMO LA DEFAULT ROUTE SUL FIREWALL

ciscoasa(config)# route outside 0.0.0.0 0.0.0.0 10.10.10.1

ASA 5505

ABILITIAMO IL SERVIZIO NAT TRA RETE INTERNA

E RETE ESTERNA

ciscoasa(config)# object network LAN

ciscoasa(config-network-object)# subnet 172.16.1.0 255.255.255.0

ciscoasa(config-network-object)# nat (inside,outside) dynamic interface

ASA 5505

CREIAMO LE ACCESS LIST PER

PERMETTERE IL TRAFFICO

ciscoasa(config)# access-list inside_internet extended permit tcp any any

ciscoasa(config)# access-list inside_internet extended permit icmp any any

ciscoasa(config)# access-group inside_internet in interface outside

ASA 5505 - DMZ

ASA 5505 - DMZ

interface Vlan1

nameif inside

security-level 100

ip address 192.168.0.1 255.255.255.0

interface Vlan2

nameif outside

security-level 0

ip address 198.51.100.100 255.255.255.0

interface Vlan3

no forward interface Vlan1

nameif dmz

security-level 50

ip address 192.168.1.1 255.255.255.0

ASA 5505 - DMZ

interface Ethernet0/0

switchport access vlan 2

interface Ethernet0/1

switchport access vlan 1

interface Ethernet0/2

switchport access vlan 3

ASA 5505 - DMZ

object network dmz-subnet

subnet 192.168.1.0 255.255.255.0

object network inside-subnet

subnet 192.168.0.0 255.255.255.0

object network webserver

host 192.168.1.10

ASA 5505 - DMZ

route outside 0.0.0.0 0.0.0.0 198.51.100.1

ASA 5505 - DMZ

object network inside-subnet

nat (inside,outside) dynamic interface

object network webserver

nat (dmz,outside) static 198.51.100.101

ASA 5505 - DMZ

access-list OUTSIDE-DMZ extended permit icmp any any

access-list OUTSIDE-DMZ extended permit tcp any object webserver eq www

access-list OUTSIDE-DMZ extended permit tcp any host 192.168.1.10 eq www

access-list OUTSIDE-DMZ extended permit tcp any host 198.51.100.101 eq www

access-group OUTSIDE-DMZ in interface outside

ASA 5505 - Riferimenti

Cisco ASA 5500 Series Configuration

Guide using the CLI

Software Version 8.2

Cisco ASA 5505 Getting Started Guide

Software Version 8.2