Configuring cisco ASA 5510 + security module ASA-SSM-CSC-10 + NAT
There is one real ip (1.1.1.1), three internal subnets 192.168.2.0/24 192.168.3.0/24 172.16.0.0/24. There is also a lady from the accounting department in which the client bank should work through our NAT. The SSM-CSC-10 module is connected with a patch cord to the port of aces f0 / 3.
A little about ASA 5510
The basic principle of configuring ASA interfaces comes down to the security-level assignment from 0 to 100.
0 is placed on an unprotected network, usually external.
100 is placed on the internal network that we need to protect.
In order for the packet to pass from the interface where security-level = 0 to the interface where security-level = 100, you need to create an allow rule in the access-list . We need this when we push the port through the NAT to our client bank in the accounting department, as well as for ssh access to the security module.
')
At once I will say that asa 5510 does not have its own telnet client and this is very sad. But there is a way out.
It all comes down to the fact that in the ASA-SSM-CSC-10 module there is our favorite Linux, so we need to get the root console of the module, and from there telnet.
Login is the default password on the ASA-SSM-CSC-10 Cisco Cisco Module.
Connection to security module:
This is how the settings wizard looks, everything is intuitive. You will need to activate the root account and set the ip module (192.168.1.1/24) and default route 192.168.1.254
A few more useful commands for working with the module:
Next, we will need to add a rule to the access-list for tcp port 5555 and prescribe PAT (NAT) for ssh access to our module. I leave this work to you. (There will be similar examples below).
Configuring ASA Interfaces
Front end:
Internal wi-fi network VLAN 110:
Accounting Network Vlan 120:
Management interface for managing switches and wi-fi Vlan 999:
Interface looking in ssm module:
Default route setting:
DNS Setup:
NAT setup:
where 100 is a NAT group, only 2147483647 groups. We do not forget that only 65536 connections fit in one group, if you have more than 1000 subscribers in real time, it is advisable to distribute parts of subscribers to different NAT groups.
Accsess-list setting:
We hang our accsess-list on the external interface:
Wrap up www and mail for checking in the security module:
Configure PAT to access the security module via the web interface, the default port is 8443:
After that, it will be possible to get from the outside to the module via the browser https: // external_ipy: 8443
Finally, we will deal with our client-bank.
There will be two cases:
1) Client-Bank works via vpn connection;
2) Client-Bank operates on a specific tcp port, in our case it is port 7521.
For the first case, we use the inspect policy for the pptp protocol. Very convenient and necessary thing. This is similar to the insmod ip_nat_pptp module for iptables on linux.
As a result, after applying this policy, asa will skip the vpn connection to the “world”.
Now the second case with a transparent forwarding tcp port 7521 to an accountant on the machine.
Configure PAT:
Set up a DHCP server for accounting
Set up a DHCP server for wi-fi:
Keep
the end
Thank you all for your attention! Hope painted clear.
A little about ASA 5510
The basic principle of configuring ASA interfaces comes down to the security-level assignment from 0 to 100.
0 is placed on an unprotected network, usually external.
100 is placed on the internal network that we need to protect.
In order for the packet to pass from the interface where security-level = 0 to the interface where security-level = 100, you need to create an allow rule in the access-list . We need this when we push the port through the NAT to our client bank in the accounting department, as well as for ssh access to the security module.
')
At once I will say that asa 5510 does not have its own telnet client and this is very sad. But there is a way out.
It all comes down to the fact that in the ASA-SSM-CSC-10 module there is our favorite Linux, so we need to get the root console of the module, and from there telnet.
Login is the default password on the ASA-SSM-CSC-10 Cisco Cisco Module.
- Activate the root account in the module
- We are wrapping a NAT tcp port, for example, 5555, on the module ssh port (In our example, the module will have ip 192.168.1.1 and ssh 22 port)
- Allow tcp port 5555 in the access-list
- We connect from outside via ssh to port 5555. And voila, we get into the bash console of the module.
- Further the treasured telnet command
Connection to security module:
asa5510# conf t asa5510(config)# session 1 This is how the settings wizard looks, everything is intuitive. You will need to activate the root account and set the ip module (192.168.1.1/24) and default route 192.168.1.254
asa5510(config)# session 1 Opening command session with slot 1. Connected to slot 1. Escape character sequence is 'CTRL-^X'. login: cisco Password: Trend Micro InterScan for Cisco CSC SSM Setup Main Menu --------------------------------------------------------------------- 1. Network Settings 2. Date/Time Settings 3. Product Information 4. Service Status 5. Password Management 6. Restore Factory Default Settings 7. Troubleshooting Tools 8. Reset Management Port Access Control List 9. Ping 10. Exit ... Enter a number from [1-10]: A few more useful commands for working with the module:
asa5510# show module asa5510(config)# hw-module module 1 ? exec mode commands/options: password-reset Reset the CLI password on the module recover Configure recovery of this module reload Reload the module reset Reset the module shutdown Shut down the module Next, we will need to add a rule to the access-list for tcp port 5555 and prescribe PAT (NAT) for ssh access to our module. I leave this work to you. (There will be similar examples below).
Configuring ASA Interfaces
Front end:
asa5510# conf t asa5510(config)# interface Ethernet0/0 asa5510(config-if)# security-level 0 asa5510(config-if)# nameif outside asa5510(config-if)# ip address 1.1.1.1 255.255.255.0 Internal wi-fi network VLAN 110:
asa5510# conf t asa5510(config)# Ethernet0/1.110 asa5510(config-if)# security-level 100 asa5510(config-if)# nameif wi-fi asa5510(config-if)# ip address 192.168.2.254 255.255.255.0 Accounting Network Vlan 120:
asa5510# conf t asa5510(config)# Ethernet0/1.120 asa5510(config-if)# security-level 100 asa5510(config-if)# nameif byx asa5510(config-if)# ip address 192.168.3.254 255.255.255.0 Management interface for managing switches and wi-fi Vlan 999:
asa5510# conf t asa5510(config)# Ethernet0/1.999 asa5510(config-if)# security-level 100 asa5510(config-if)# nameif mng asa5510(config-if)# ip address 172.16.0.254 255.255.255.0 Interface looking in ssm module:
asa5510# conf t asa5510(config)# Ethernet0/3 asa5510(config-if)# security-level 100 asa5510(config-if)# nameif antivirus asa5510(config-if)# ip address 192.168.1.254 255.255.255.0 Default route setting:
asa5510# conf t asa5510(config)# route outside 0.0.0.0 0.0.0.0 1.1.1.2 1 DNS Setup:
asa5510(config)# dhcpd dns 8.8.8.8 178.151.44.131 NAT setup:
asa5510# conf t asa5510(config)# nat-control asa5510(config)# global (outside) 100 interface asa5510(config)# nat (wi-fi) 100 192.168.2.0 255.255.255.0 asa5510(config)# nat (byx) 100 192.168.3.0 255.255.255.0 asa5510(config)# nat (antivirus) 100 192.168.1.1 255.255.255.255 where 100 is a NAT group, only 2147483647 groups. We do not forget that only 65536 connections fit in one group, if you have more than 1000 subscribers in real time, it is advisable to distribute parts of subscribers to different NAT groups.
Accsess-list setting:
asa5510(config)# access-list outside_access_in extended permit tcp any any eq ssh asa5510(config)# access-list outside_access_in extended permit tcp any any eq 5555 asa5510(config)# access-list outside_access_in extended permit tcp any any eq https asa5510(config)# access-list outside_access_in extended permit tcp any any eq 8443 asa5510(config)# access-list outside_access_in extended permit tcp any any eq bgp asa5510(config)# access-list outside_access_in extended permit tcp any any eq pptp asa5510(config)# access-list outside_access_in extended permit tcp any any eq 7521 asa5510(config)# access-list outside_access_in extended permit tcp host 159.224.XX any eq 3006 asa5510(config)# access-list outside_access_in extended deny tcp any any eq 3006 log We hang our accsess-list on the external interface:
asa5510(config)# access-group outside_access_in in interface outside Wrap up www and mail for checking in the security module:
asa5510(config)# access-list csc-acl remark Exclude CSC module traffic from being scanned asa5510(config)# access-list csc-acl extended permit tcp any any eq www asa5510(config)# access-list csc-acl remark Scan Web & Mail traffic asa5510(config)# class-map csc-class asa5510(config-cmap)# match access-list csc-acl Configure PAT to access the security module via the web interface, the default port is 8443:
asa5510(config)# static (antivirus,outside) tcp interface 8443 192.168.1.1 8443 netmask 255.255.255.255 After that, it will be possible to get from the outside to the module via the browser https: // external_ipy: 8443
Finally, we will deal with our client-bank.
There will be two cases:
1) Client-Bank works via vpn connection;
2) Client-Bank operates on a specific tcp port, in our case it is port 7521.
For the first case, we use the inspect policy for the pptp protocol. Very convenient and necessary thing. This is similar to the insmod ip_nat_pptp module for iptables on linux.
asa5510(config)# policy-map global_policy asa5510(config-pmap)# class inspection_default asa5510(config-pmap-c)# inspect pptp As a result, after applying this policy, asa will skip the vpn connection to the “world”.
Now the second case with a transparent forwarding tcp port 7521 to an accountant on the machine.
Configure PAT:
static (byx,outside) tcp interface 7521 192.168.3.5 7521 netmask 255.255.255.255 Set up a DHCP server for accounting
asa5510(config)# dhcpd address 192.168.3.1-192.168.3.253 byx asa5510(config)# dhcpd enable byx Set up a DHCP server for wi-fi:
asa5510(config)# dhcpd address 192.168.2.1-192.168.2.253 wi-fi asa5510(config)# dhcpd enable wi-fi Keep
asa5510(config)#wr the end
Thank you all for your attention! Hope painted clear.
Source: https://habr.com/ru/post/150051/
All Articles