Difference between revisions of "Basic ASA configuration"
From Tech-Wiki
(Created page with "interface Ethernet0/0 nameif outside security-level 0 ip address 198.51.100.100 255.255.255.0 ! interface Ethernet0/1 nameif inside security-level 100 ip address 192.168...") |
|||
| (3 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
| − | + | [[Category:Cisco_Systems]] | |
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | ! | + | Sample ASA configuration |
| − | access-list outside_acl extended permit tcp any object webserver eq www | + | |
| − | access-list dmz_acl extended permit udp any object dns-server eq domain | + | interface Ethernet0/0 |
| − | access-list dmz_acl extended deny ip any object inside-subnet | + | nameif outside |
| − | access-list dmz_acl extended permit ip any any | + | security-level 0 |
| − | ! | + | ip address 198.51.100.100 255.255.255.0 |
| − | object network inside-subnet | + | ! |
| − | + | interface Ethernet0/1 | |
| − | object network dmz-subnet | + | nameif inside |
| − | + | security-level 100 | |
| − | object network webserver | + | ip address 192.168.0.1 255.255.255.0 |
| − | + | ! | |
| − | access-group outside_acl in interface outside | + | interface Ethernet0/2 |
| − | access-group dmz_acl in interface dmz | + | nameif dmz |
| − | ! | + | security-level 50 |
| − | route outside 0.0.0.0 0.0.0.0 198.51.100.1 1 | + | ip address 192.168.1.1 255.255.255.0 |
| + | ! | ||
| + | object network inside-subnet | ||
| + | subnet 192.168.0.0 255.255.255.0 | ||
| + | object network dmz-subnet | ||
| + | subnet 192.168.1.0 255.255.255.0 | ||
| + | object network webserver | ||
| + | host 192.168.1.100 | ||
| + | object network webserver-external-ip | ||
| + | host 198.51.100.101 | ||
| + | object network dns-server | ||
| + | host 192.168.0.53 | ||
| + | ! | ||
| + | access-list outside_acl extended permit tcp any object webserver eq www | ||
| + | access-list dmz_acl extended permit udp any object dns-server eq domain | ||
| + | access-list dmz_acl extended deny ip any object inside-subnet | ||
| + | access-list dmz_acl extended permit ip any any | ||
| + | ! | ||
| + | object network inside-subnet | ||
| + | nat (inside,outside) dynamic interface | ||
| + | object network dmz-subnet | ||
| + | nat (dmz,outside) dynamic interface | ||
| + | object network webserver | ||
| + | nat (dmz,outside) static webserver-external-ip service tcp www www | ||
| + | access-group outside_acl in interface outside | ||
| + | access-group dmz_acl in interface dmz | ||
| + | ! | ||
| + | route outside 0.0.0.0 0.0.0.0 198.51.100.1 1 | ||
Latest revision as of 15:34, 2 February 2017
Sample ASA configuration
interface Ethernet0/0 nameif outside security-level 0 ip address 198.51.100.100 255.255.255.0 ! interface Ethernet0/1 nameif inside security-level 100 ip address 192.168.0.1 255.255.255.0 ! interface Ethernet0/2 nameif dmz security-level 50 ip address 192.168.1.1 255.255.255.0 ! object network inside-subnet subnet 192.168.0.0 255.255.255.0 object network dmz-subnet subnet 192.168.1.0 255.255.255.0 object network webserver host 192.168.1.100 object network webserver-external-ip host 198.51.100.101 object network dns-server host 192.168.0.53 ! access-list outside_acl extended permit tcp any object webserver eq www access-list dmz_acl extended permit udp any object dns-server eq domain access-list dmz_acl extended deny ip any object inside-subnet access-list dmz_acl extended permit ip any any ! object network inside-subnet nat (inside,outside) dynamic interface object network dmz-subnet nat (dmz,outside) dynamic interface object network webserver nat (dmz,outside) static webserver-external-ip service tcp www www access-group outside_acl in interface outside access-group dmz_acl in interface dmz ! route outside 0.0.0.0 0.0.0.0 198.51.100.1 1