Cisco ASA 9.8 CLI Command – ASA NAT – Object Group – inspect ICMP – IKEv2 Policy ||Enabling SSH inside

CLI Command

Cisco ASA 9.8 CLI Commands

This article is covering most important cisco ASA command of ASA Version 9.8. This article may help network and security guys who deals in day to day troubleshooting call and also help in implementation new setup of cisco ASA firewall in the network.

This article intent to NAT, Static NAT, PAT, Object Group, access-list, Inspect ICMP, IKEv2 Policy and SSH access enabling on ASA.



ASA Outside Interface Configuration

outside interface is consider as untrusted zone interface have 0 (zero) security level by default.

Example –

ASA-A(Config)# interface GigabitEthernet0/0
ASA-A(Config-if)# nameif outside
ASA-A(Config-if)# security-level 0
ASA-A(Config-if)# ip address 200.100.0.1 255.255.255.0

ASA inside Interface Configuration

inside interface is consider as trusted zone interface have 100 security level by default.

Example –

ASA-A(Config)# interface GigabitEthernet0/1
ASA-A(Config-if)#  nameif inside
ASA-A(Config-if)# security-level 100
ASA-A(Config-if)# ip address 172.16.10.2 255.255.255.0

Object Group

Object network/service Groups is very significant part on cisco ASA Firewall software ASA 8.4 and later version. Object group contain IP address and subnet extensively used for NAT and Access-list.

Example –

ASA-A(Config)# object network inside_network
ASA-A(Config-network-object)# subnet 172.16.10.0 255.255.255.0
ASA-A(Config-network-object)# Subnet 172.16.11.0 255.255.255.0
ASA-A(Config)# object network web-server-172.16.10.11
ASA-A(Config-network-object)# host 172.16.10.11

Create a Service Group for service Protocol tcp/udp

ASA-A(Config)# object-group service www-protocols tcp
ASA-A(config-server-object-group)# port-object eq 80
ASA-A(config-server-object-group)# port-object eq 443

PAT (Port address Translation)

It’s very obvious to have PAT configuration for inside users who need to access internet or external public servers. PAT act as Forward Proxy server. So, PAT hide the inside network from internet users. It only allow inside to outside Access.

Example –

Inside LAN – 172.16.10.0/24 , Dynamic NAT – outside Interface.

ASA-A(Config)# object network inside_network
ASA-A(Config-network-object)# subnet 172.16.10.0 255.255.255.0
ASA-A(Config-network-object)# nat (inside,outside) dynamic interface

Static NAT Configuration on ASA

In case you want to give a static public IP address to a web-server (Hosted Inside) to make it public facing server. So Internet user can access web application that hosted on this server.

Example –

Private IP Address – 172.16.10.11 , Public IP address – 200.100.0.11

Let’s assume we have web-server hosted in Data Center inside network having IP – 172.16.10.11. So, we are mapping that web-server with public IP – 200.100.0.11 (Static NAT) and only allowing internet inbound access on port 80,443.

ASA-A(Config)# object network web-server-172.16.10.11
ASA-A(Config-network-object)# host 172.16.10.11 255.255.255.0
ASA-A(Config-network-object)# nat (inside,outside) static 200.100.0.11
ASA-A(Config)# access-list outside_in extended permit tcp any host 200.100.0.11 eq www-protocols

OR

ASA-A(Config)# access-list outside_in extended permit tcp any host 200.100.0.11 eq 443
ASA-A(Config)# access-list outside_in extended permit tcp any host 200.100.0.11 eq 80

Apply ACL on interface.

ASA-A(Config)# access-group outside_in in interface outside

ICMP Allow ACL for Any Any

ICMP protocol is most vital part of network in order to test the connectivity with help of ping.So, here you can see how to allow icmp traffic on ASA.

Example –

ASA-A(Config)# access-list outside_in extended permit icmp any4 any4

NO NAT (NAT Zero)

No NAT concept is normally used for VPN traffic which does not need to NAT or change actual IP address that traversing thru vpn tunnel.

Example –

Local vpn subnet Object – ASA-A
Remote vpn subnet Object – ASA-B

ASA-A(Config)# object network ASA-A
ASA-A(Config-network-object)# subnet 172.16.10.0 255.255.255.0

ASA-A(Config)# object network ASA-B
ASA-A(Config-network-object)# subnet 192.168.10.0 255.255.255.0

ASA-A(Config-network)# nat (inside,outside) source static ASA-A ASA-A destination static ASA-A ASA-A no-proxy-arp route-lookup

SSH Configuration

Cisco ASA does not enable SSH access by default. Below mentioned command and steps will help to enabling SSH access from inside network.

ASA-A(config)# enable password <password> encrypted << enable password
ASA-A(config)# username <username> password <password> encrypted privilege 15 <<SSH Login
ASA-A(config)# aaa authentication ssh console LOCAL <<Local Authentication
ASA-A(config)# ssh 192.168.0.10 255.255.255.0 inside << Inside Subnet allow SSH to ASA Firewall
ASA-A(config)# domain-name <domain-name> <<Domain name
ASA-A(config)# crypto key gen rsa mod 4096 << Generate RSA key pairs for your Cisco ASA, The 4096-bit RSA keys are only supported on the ASA5580, 5585, or later platforms.
ASA-A(config)# ssh version 2 << restrict ASA to only use version 2
ASA-A(config)# ssh key-exchange group dh-group14-sha1 << exchange keys method using either the Diffie-Hellman (DH) Group 1 DH Group 14 

Inspect ICMP

Inspect ICMP will start to allow all ICMP types traffic such as echo to pass through ASA. ICMP packet will be allowed through the ASA without a Pre-configure ACL evaluation.

ASA-A(Config)#policy-map global_policy
ASA-A(Config-pmap)#class inspection_default
ASA-A(Config-pmap-c)#inspect icmp

ISAKMP Policies for IKEv2 

IKEv2 Crypto policy configuration on ASA

ASA-A(Config)#crypto ikev2 policy 10 << IKEv2 policy configuration mode
ASA-A(Config-ikev2-policy)#encryption aes-256 << Set the encryption algorithm
ASA-A(Config-ikev2-policy)#integrity sha256 << Configure a hash method
ASA-A(Config-ikev2-policy)#group 19 << Set the Diffie-Hellman group
ASA-A(Config-ikev2-policy)#prf sha256 << Configure the Pseudo-Random Function 
ASA-A(Config-ikev2-policy)#lifetime seconds 86400<<Set the encryption key lifetime
ASA-A(Config)#crypto ikev2 enable outside <<Enable IKEv2 on the interface

 

Author: Ronnie Singh

Leave a Reply