Cisco ASA

This page discusses initial configuration and use cases for the Cisco ASA

Introduction

Cisco ASA is a proprietary firewall/router solution from Cisco. It is a physical piece of gear that is incredibly robust and offers a large amount of functionality. Because it is physical, there is a finite amount of devices attached directly to it and it is not carry-on compliant. Below is a link to the documentation for the Cisco ASA 5525-X. Here, what is being discussed is how to set up basic Assignments, NAT, and Gateways/Static Routes.

LogoConfigure Network Address Translation and ACLs on an ASA FirewallCisco
Configuration of NAT on a ASA Firewall

Assignments

Because the ASA has physical connections. Once you are able to console in and know the ports that are connected to it, you can begin configuring the basic functionality of the ports. Because it is a Cisco device, the commands are almost identical to the configuration of a switch with a few notable exceptions. Below are the commands for basic IP assignments using the network layout discussed in the PFSense document and the image displayed below.

ciscoasa(config)# interface gig 1/1
ciscoasa(config-if)# ip address 192.168.228.161 255.255.255.0
ciscoasa(config-if)# nameif outside
ciscoasa(config-if)# security 0
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# interface gig 1/2
ciscoasa(config-if)# ip address 20.0.0.254 255.255.255.0
ciscoasa(config-if)# nameif inside
ciscoasa(config-if)# security 100
ciscoasa(config-if)# no shutdown

NAT

Once your interfaces are properly configured you can set up NAT rules for each of your tools. Typically you want to only NAT through the IPs and Ports actively in use by our tools such as Beats, or Splunk. Also allowing through any traffic directed outwards to things such as a remote rocket chat server, or file share.

For the below demonstration on NAT rules the customer network is 192.168.228.0/24 and DCO's internal IP scheme is 20.0.0.0/24. This will be simulating setting a NAT for a Splunk indexer headed to 20.0.0.10:9997

Cisco ASA NAT Demonstration

For the creation of a NAT on Cisco ASA, you need to create a network object and apply the NAT directly. Below are the commands to NAT traffic destined for 192.168.228.161:9997 to the Splunk server at 20.0.0.10:9997

ciscoasa(config)# object network splunk-nat
ciscoasa(config-network-object)# host 20.0.0.10
ciscoasa(config-network-object)# nat (outside,inside) static interface service tcp 9997 9997

Gateways / Static Routes

In some instances, you have multiple networks on the other side of one interface and you need to tell ASA where to direct that traffic. This is where setting Gateways and Static routes will help. See the below image for an example

Static routes with multiple networks on the other side of an interface
ciscoasa(config)# route outside 30.0.0.0 255.255.255.0 20.0.0.1
PreviousPFSenseNextCisco Device

Last updated