In this tutorial, we are going to learn the step-by-step internet configuration method for the Cisco ASA firewall. We can use a firewall to connect to the internet as well as protect data from outside threats.
A firewall can perform NAT functions like a router that is used to connect local users to the internet.
We know that we need to use one public IP address to connect to the internet. Because private IP addresses are not routable to the internet. That's why we share one public IP address or a range of public IP addresses among the LAN users. This is because it is very costly to provide a separate public IP address to each other. To share one public IP address among so many users, we have to use NAT configurations. Using NAT, we can share one public IP address or we can share a range of public IP addresses.
In the Cisco ASA firewall, when we share one public IP address among the LAN users, then it is called "Dynamic PAT (Hide)". When we share a range of IP addresses then it is called "Dynamic NAT".
In this tutorial, we are going to share one public IP address among the LAN users. That's why we will use the "Dynamic PAT (Hide)" configuration. We will perform NAT function from inside interface to outside interface. All the LAN user's traffic that is intended to reach the internet or the outside network, their source address will be replaced by the outside interface IP address.
Now we will go through the step-by-step configuration process to perform the source NAT configuration in the outside interface of the Cisco ASA firewall.
We assume that we have a local network 192.168.1.0/24. Also, we have one public IP address 1.1.1.1. Now we are going to configure the 192.168.1.0/24 network in our inside interface and the 1.1.1.1 IP address in our outside interface. After that, we will configure source NAT so that our LAN users can connect to the internet using our outside interface IP address (i.e. 1.1.1.1). Finally, we have to create one access list entry so that the firewall can allow the internet traffic from the inside interface to the outside interface.
Let's start with the interface configuration. At first, we will configure an IP address in the inside interface. The IP address will be 192.168.1.254/24. This address will be the gateway for our LAN users.
Click on the "Configuration" tab and select the "Device Setup" options. Now expand the "Interface Settings" tree and select the "Interfaces" parameters. Here, you will find the network interface list that is attached to your firewall.
We have selected "GibabitEhterner1/1" as the "Outside" interface and "GibabitEhterner1/2" as the inside interface. Now double-click on the "inside" interface or the "GibabitEhterner1/2" interface to configure its IP address. Make sure you are in the "General" tab. If you want you can change your interface name from the "Interface Name" field. Click on the "Use Static IP" radio button and write your IP address in the "IP Address" field. Then write your "Subnet Mask" or select it from the "Drop-down" menu. Then click on the "OK" button to close this window.
Now we will configure the "Outside" interface IP address. Just click on the "GibabitEhterner1/1" interface since we have selected it as the "Outside" interface. Here, you can change the interface name also. Select the "Use Static IP" radio button and write your IP address. As our example, our outside interface IP address will be 1.1.1.1. Now select your subnet mask from the drop-down list or you can write it.
Now click on the "Apply" button to save these changes into the "Start-up" config.
Our IP address configuration has finished. Now we will add the default route entry or the default gateway. To add the "Default Route" or the "Default Gateway" expand the "Routing" configuration tree.
Click on the "Static Routes" option. Then click on the "Add" button to add a new static entry.
Now select the "IPv4" radio button from the "IP Address Type" section. In the "Interface" field, select your "Outside" interface from the drop-down list. Now write your network address in the "Network" field. Here, we will write 0.0.0.0/0 as the network address this will be our default route entry. Or you can use the "any4" value from the list. Now write your gateway IP address in the "Gateway IP" field. We will get this gateway IP address from our internet service provider. We assume that our gateway IP address will be 5.5.5.5. Finally, click on the "OK" button to add this route entry as well as close this window.
Our default route configuration has done. Now we will configure the source NAT functions. To configure the source nat, go to the "Firewall" section and click on the "NAT Rules" option. Then click on the "Add" drop-down menu and select the "Add Network Object NAT Rules".
Now we will give a descriptive name for this object. We will name it "NAT_Rule_Internet". Then select the object type from the drop-down list. Here, we will select "network" as the object type. Make sure that the "IPv4" radio button is selected as the "IP Version". Write your network address in the "IP Address" field. Here, we will write "192.168.1.0" as the network address. Because we are going to NAT this local address to our public address which is 1.1.1.1. Then write your subnet mask in the "Netmask" field. You can select a mask from the drop-down list also.
Now we will configure the source NAT. Please make sure that the "Add Automatic Address Translation Rules" check box is ticked in the "NAT" section. In the "Type" field, select "Dynamic PAT (Hide)" from the drop-down list. Now write your public IP address in the "Translated Addr" field which is 1.1.1.1 or you can select your public interface from the interface list. After that click on the "Advanced" tab.
In the "Advanced" tab, we will select the source NAT interface and the destination NAT interface. The source NAT interface is that which will be translated. And the destination NAT interface is one whose address will be used to translate the source interface.
Now select your "inside" interface or the LAN interface from the "Source Interface" field. Because we are going to translate the local private IP address to the public one. Then select your "outside" interface from the "Destination Interface" field. Then click on the "OK" button to close this window.
Finally, click on the "OK" button to save this network object rule. Now click on the "Apply" button to save these changes into the "Running-Config".
At this point, we have to configure the DNS client to perform the name resolution process. Go to the "Device Management" option and expand the "DNS" parameter tree from the "Device Management" configuration list. Then click on the "DNS Client" parameter.
Here, we can create the DNS server group. We can create a single group or we can create multiple groups. In this tutorial, we will create a single group.
At first, configure your primary DNS server. Write your DNS server IP address in the "Primary DNS Server" field. We assume that our DNS address is 8.8.8.8. Now select the source interface that is used to reach that DNS server. Here, we will use the "outside" interface as our source interface because this DNS server is not available in our local network. To reach that DNS server we have to connect to the internet and for internet reachability, we have to use our outside interface.
We can add the secondary DNS servers in the "Secondary Servers" field. Just click on the "Add" button to add a secondary DNS server. There we will write the DNS server IP address in the "Server IP Address" field and have to select the source interface from the "Source Interface" field. Here we will write the secondary DNS address that is 8.8.4.4 and we will select the "outside" interface as the source interface also. We can add multiple servers as our requirement. After click on the "OK" button, this secondary server will add to the secondary servers list. We can add our domain name into the "Domain Name" field.
Now click on the "Apply" button to save this change into the "Running-Config".
All the required configuration is done to connect to the internet. One final thing we have to do that create an access rule to allow the traffic from inside to the outside network. By default, the firewall blocks all the traffic from inside to outside interface and outside to inside interface also. We will create an access rule that allows all the traffic coming from the inside interface and intended to go to the outside network or the internet.
To create an access rule, go to the "Firewall" option and click on the "Access Rules" from the firewall configuration page. Then click on the "Add" button to add a new rule.
Now we will select the interface from the drop-down list on which we will deploy this ACL. Here, we will select the "outside" interface because we are going to apply this ACL in the outside interface. Click on the "Permit" radio button as the "Action" field value. Keep the default value in the source and destination field. Leave the default value for the "service" field also. Then expand the "More Options" feature.
Here, make sure the "Enable Rule" tick button is ticked. Now click on the "Out" radio button as the "Traffic Direction" value. Because we create this ACL to allow the outgoing traffic from inside to the outside interface. After then click on "OK" to add this ACL into the "ACL List".
All the things are done. Now firewall will any traffic from inside to the outside interface coming from any source address. From now on all the local users can connect to the internet.
No comments:
Post a Comment