Difference between revisions of "Basic ASA configuration"

From Tech-Wiki
Jump to: navigation, search
(Created page with "interface Ethernet0/0 nameif outside security-level 0 ip address 198.51.100.100 255.255.255.0 ! interface Ethernet0/1 nameif inside security-level 100 ip address 192.168...")
 
 
(3 intermediate revisions by the same user not shown)
Line 1: Line 1:
interface Ethernet0/0
+
[[Category:Cisco_Systems]]
nameif outside
+
security-level 0
+
ip address 198.51.100.100 255.255.255.0
+
!
+
interface Ethernet0/1
+
nameif inside
+
security-level 100
+
ip address 192.168.0.1 255.255.255.0
+
!
+
interface Ethernet0/2
+
nameif dmz
+
security-level 50
+
ip address 192.168.1.1 255.255.255.0
+
!
+
object network inside-subnet
+
subnet 192.168.0.0 255.255.255.0
+
object network dmz-subnet
+
subnet 192.168.1.0 255.255.255.0
+
object network webserver
+
host 192.168.1.100
+
object network webserver-external-ip
+
host 198.51.100.101
+
object network dns-server
+
host 192.168.0.53
+
  
!
+
Sample ASA configuration
access-list outside_acl extended permit tcp any object webserver eq www
+
 
access-list dmz_acl extended permit udp any object dns-server eq domain
+
interface Ethernet0/0
access-list dmz_acl extended deny ip any object inside-subnet
+
  nameif outside
access-list dmz_acl extended permit ip any any
+
  security-level 0
!
+
  ip address 198.51.100.100 255.255.255.0
object network inside-subnet
+
!
nat (inside,outside) dynamic interface
+
interface Ethernet0/1
object network dmz-subnet
+
  nameif inside
nat (dmz,outside) dynamic interface
+
  security-level 100
object network webserver
+
  ip address 192.168.0.1 255.255.255.0
nat (dmz,outside) static webserver-external-ip service tcp www www
+
!
access-group outside_acl in interface outside
+
interface Ethernet0/2
access-group dmz_acl in interface dmz
+
  nameif dmz
!
+
  security-level 50
route outside 0.0.0.0 0.0.0.0 198.51.100.1 1
+
  ip address 192.168.1.1 255.255.255.0
 +
!
 +
object network inside-subnet
 +
  subnet 192.168.0.0 255.255.255.0
 +
object network dmz-subnet
 +
  subnet 192.168.1.0 255.255.255.0
 +
object network webserver
 +
  host 192.168.1.100
 +
object network webserver-external-ip
 +
  host 198.51.100.101
 +
object network dns-server
 +
  host 192.168.0.53
 +
!
 +
access-list outside_acl extended permit tcp any object webserver eq www
 +
access-list dmz_acl extended permit udp any object dns-server eq domain
 +
access-list dmz_acl extended deny ip any object inside-subnet
 +
access-list dmz_acl extended permit ip any any
 +
!
 +
object network inside-subnet
 +
  nat (inside,outside) dynamic interface
 +
object network dmz-subnet
 +
  nat (dmz,outside) dynamic interface
 +
object network webserver
 +
  nat (dmz,outside) static webserver-external-ip service tcp www www
 +
access-group outside_acl in interface outside
 +
access-group dmz_acl in interface dmz
 +
!
 +
route outside 0.0.0.0 0.0.0.0 198.51.100.1 1

Latest revision as of 15:34, 2 February 2017


Sample ASA configuration

interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 198.51.100.100 255.255.255.0
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.0.1 255.255.255.0
!
interface Ethernet0/2
 nameif dmz
 security-level 50
 ip address 192.168.1.1 255.255.255.0
!
object network inside-subnet
 subnet 192.168.0.0 255.255.255.0
object network dmz-subnet
 subnet 192.168.1.0 255.255.255.0
object network webserver
 host 192.168.1.100
object network webserver-external-ip
 host 198.51.100.101
object network dns-server
 host 192.168.0.53
!
access-list outside_acl extended permit tcp any object webserver eq www
access-list dmz_acl extended permit udp any object dns-server eq domain
access-list dmz_acl extended deny ip any object inside-subnet
access-list dmz_acl extended permit ip any any
!
object network inside-subnet
 nat (inside,outside) dynamic interface
object network dmz-subnet
 nat (dmz,outside) dynamic interface
object network webserver
 nat (dmz,outside) static webserver-external-ip service tcp www www
access-group outside_acl in interface outside
access-group dmz_acl in interface dmz
!
route outside 0.0.0.0 0.0.0.0 198.51.100.1 1