◼️
General Knowledge
  • Introduction
  • Building a Home Lab
  • Certification Roadmap
  • Basics
    • Basic Networking
    • Basic Gigamon Configuration
  • Firewalls
    • PFSense
    • Cisco ASA
  • Hardware Setup and Device Networking
    • Cisco Device
    • MaxVision Servers
    • Gigamon
  • Reporting
    • Network Activity Report (NAR)
    • Network Change Request (NCR)
    • Redmine
  • DCO Tools
    • Splunk
      • Threat Hunting with Splunk
    • Security Onion 2.4
      • Threat Hunting with Security Onion
    • OsQuery
  • Methodology
    • Gather Information
    • Gather Documents
    • Prepare Equipment and Team Procedures
    • Conduct Network Reconnaissance
    • MITTRE ATT&CK Framework
    • Considerations when Recommending Remedial Action
    • Document Everything
    • Defensive Cyber Operations Checklist
  • Requirements
    • Power Requirements
    • Port Density Requirements
    • Opened Port Requirements
  • Building a Virtual Testing Environment
    • Identify Requirements
    • Gather Equipment and tools
    • Initial Draft
    • Building the Environment
    • Example
Powered by GitBook
On this page
  • Introduction
  • Assignments
  • NAT
  • Gateways / Static Routes
  1. Firewalls

Cisco ASA

This page discusses initial configuration and use cases for the Cisco ASA

PreviousPFSenseNextCisco Device

Last updated 2 years ago

Introduction

Cisco ASA is a proprietary firewall/router solution from Cisco. It is a physical piece of gear that is incredibly robust and offers a large amount of functionality. Because it is physical, there is a finite amount of devices attached directly to it and it is not carry-on compliant. Below is a link to the documentation for the Cisco ASA 5525-X. Here, what is being discussed is how to set up basic Assignments, NAT, and Gateways/Static Routes.

Assignments

Because the ASA has physical connections. Once you are able to console in and know the ports that are connected to it, you can begin configuring the basic functionality of the ports. Because it is a Cisco device, the commands are almost identical to the configuration of a switch with a few notable exceptions. Below are the commands for basic IP assignments using the network layout discussed in the PFSense document and the image displayed below.

ciscoasa(config)# interface gig 1/1
ciscoasa(config-if)# ip address 192.168.228.161 255.255.255.0
ciscoasa(config-if)# nameif outside
ciscoasa(config-if)# security 0
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# interface gig 1/2
ciscoasa(config-if)# ip address 20.0.0.254 255.255.255.0
ciscoasa(config-if)# nameif inside
ciscoasa(config-if)# security 100
ciscoasa(config-if)# no shutdown

NAT

Once your interfaces are properly configured you can set up NAT rules for each of your tools. Typically you want to only NAT through the IPs and Ports actively in use by our tools such as Beats, or Splunk. Also allowing through any traffic directed outwards to things such as a remote rocket chat server, or file share.

For the below demonstration on NAT rules the customer network is 192.168.228.0/24 and DCO's internal IP scheme is 20.0.0.0/24. This will be simulating setting a NAT for a Splunk indexer headed to 20.0.0.10:9997

For the creation of a NAT on Cisco ASA, you need to create a network object and apply the NAT directly. Below are the commands to NAT traffic destined for 192.168.228.161:9997 to the Splunk server at 20.0.0.10:9997

ciscoasa(config)# object network splunk-nat
ciscoasa(config-network-object)# host 20.0.0.10
ciscoasa(config-network-object)# nat (outside,inside) static interface service tcp 9997 9997

Gateways / Static Routes

In some instances, you have multiple networks on the other side of one interface and you need to tell ASA where to direct that traffic. This is where setting Gateways and Static routes will help. See the below image for an example

ciscoasa(config)# route outside 30.0.0.0 255.255.255.0 20.0.0.1
Configure Network Address Translation and ACLs on an ASA FirewallCisco
Configuration of NAT on a ASA Firewall
Logo
Cisco ASA NAT Demonstration
Static routes with multiple networks on the other side of an interface