By default, Cisco routers permit and forward all the packets they receive if the route is matched in their routing table. In case we want to restrict some routes.
We have to
configure some access lists but if we have a lot of access-list rules this becomes
a nightmare to configure on each interface.
.
From the above diagram, our router has two incoming
access-list to deny some routes from the host's LAN. And also, our router has
two access-list to prevent some routes from the internet WAN from entering our
LAN network. its means we have to apply an access list to four interfaces in order to
protect our LAN network. there is another solution that is better is called a
security zone with an ASA firewall.
let's see the example of how a security zone
works.
As you can see above, we have two security zones.
1. INSIDE: which is our LAN network.
2. OUTSIDE: Which is our WAN network (internet)
These security zones have two simple
rules.
The ASA interface has been assigned to the correct
security zone. Security zones have two simple rules:
Traffic coming from a high-security level to a lower security level should be permitted.
The traffic coming from a lower security level to a
high-security level is should be denied.
Security levels –
The ASA interface is by default in routed mode,
operating at layer 3.
ASA firewall interfaces are assigned security level
which is numbers between 0 to 100. The higher number, the more trust in the
network connected to the ASA firewall.
Earlier we have seen some names like INSIDE, OUTSIDE, or DMZ
Also, note that we can assign names to the ASA
interface like inside, outside, or DMZ. As soon as we assign these names to an
interface, it automatically assigns a security level to itself. For example, if
we have assigned a name inside an interface, it will assign 100 (Security
level) to itself i.e most trusted network. If we assign the name Outside or DMZ
or any other name to an interface, it will assign security level 0 automatically. These are default values and can be changed.
It is a good practice to give a security level of 100
(maximum) to inside (most trusted network), 0(least) to outside (untrusted or
public network), and 50 to DMZ (organization public device network).
Note –
It is not mandatory to assign a name (INSIDE, OUTSIDE, or DMZ) to the ASA
interface but it is good practice to assign these names as they are simple and
meaningful.
Our LAN is our trusted network, which would have a
high-security level. The WAN is untrusted so it will have a low-security level.
This means that traffic from our LAN > WAN will be permitted. Traffic from
the WAN to our LAN will be denied. Since the firewall is stateful, it keeps
track of outgoing connections and will permit the return traffic from our LAN.
If you want to make an exception and permit
traffic from the WAN to the LAN then this can be accomplished with an access list.
Most companies will have one or more servers that
should be reachable from the Internet. Perhaps a mail or web server. Instead of
placing these on the INSIDE, we use a third zone called the DMZ
(Demilitarized Zone).
DMZ security level is between INSIDE and OUTSIDE.
Traffic coming from INSIDE going to OUTSIDE is
permitted.
Traffic coming from DMZ going to OUTSIDE is
permitted.
Traffic coming from INSIDE going to DMZ is permitted.
Traffic coming from DMZ to going to INSIDE is
denied.
Traffic is coming from OUTSIDE going to INSIDE is
denied.
In order to provide full connectivity between DMZ
and OUTSIDE we will use access list which only permits traffic to the IP or port
numbers. If something happened to one of our servers (hacked), our inside
network will still secure.
Let’s see the configurations: -
configure the topology as per the diagram
configure IP address to their ports
configure gig1/1 to outside zone
configure gig1/3 to the inside zone
configure gig 1/2 to DMZ
ciscoasa(config)#interface gigabitEthernet 1/1
ciscoasa(config-if)#nameif outside
INFO: Security level for "outside" set to 0 by default.
ciscoasa(config-if)#ip address 192.168.30.1 255.255.255.0
ciscoasa(config-if)#no shutdown
ciscoasa(config-if)#exit
ciscoasa(config)#interface gigabitEthernet 1/3
ciscoasa(config-if)#nameif inside
INFO: Security level for "inside" set to 100 by default.
ciscoasa(config-if)#ip address 192.168.10.1 255.255.255.0
ciscoasa(config-if)#no shutdown
ciscoasa(config-if)#exit
ciscoasa(config)#interface gigabitEthernet 1/2
ciscoasa(config-if)#nameif dmz
INFO: Security level for "dmz" set to 0 by default.
ciscoasa(config-if)#ip address 192.168.20.1 255.255.255.0
ciscoasa(config-if)#no shutdown
ciscoasa(config-if)#security-level 50
ciscoasa(config-if)#exit
Router(config)#interface fastEthernet 0/0
Router(config-if)#ip address 192.168.30.2 255.255.255.0
Router(config-if)#no shutdown
%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
Router(config-if)#exit
FROM PC
C:\>IPCONFIG
FastEthernet0 Connection:(default port)
Link-local IPv6 Address.........: FE80::2E0:B0FF:FECD:EE09
IP Address......................: 192.168.10.3
Subnet Mask.....................: 255.255.255.0
Default Gateway.................: 192.168.10.1
Bluetooth Connection:
Link-local IPv6 Address.........: ::
IP Address......................: 0.0.0.0
Subnet Mask.....................: 0.0.0.0
Default Gateway.................: 0.0.0.0
ciscoasa#show ip address
System IP Addresses:
Interface Name IP address Subnet mask Method
GigabitEthernet1/1 outside 192.168.30.1 255.255.255.0 CONFIG
GigabitEthernet1/2 dmz 192.168.20.1 255.255.255.0 DHCP
GigabitEthernet1/3 inside 192.168.10.1 255.255.255.0 unset
Current IP Addresses:
Interface Name IP address Subnet mask Method
GigabitEthernet1/1 outside 192.168.30.1 255.255.255.0 CONFIG
GigabitEthernet1/2 dmz 192.168.20.1 255.255.255.0 DHCP
GigabitEthernet1/3 inside 192.168.10.1 255.255.255.0 unset
ciscoasa#ping 192.168.10.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/11/25 ms
ciscoasa#ping 192.168.20.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.20.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/6/16 ms
ciscoasa#ping 192.168.30.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.30.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/10/20 ms
No comments:
Post a Comment