×

Message

PLG_KUNENADISCUSS_DEPENDENCY_FAIL

003. ROUTING ON THE ASA

Once you configure an IP address and a subnet mask on an ASA interface, the entire IP subnet used on that interface becomes reachable from the ASA. This is known as a directly connected subnet or route. Before the ASA can forward packets toward other subnets that are not directly connected, it needs additional routing information.

 

An ASA keeps a table of routes to all IP subnets that are known to it. At a minimum, each route contains an IP subnet, a subnet mask, and the IP address of the next-hop router that can reach the subnet. By default, the routing table is populated with every directly connected subnet, where the next hop is the ASA’s own interface. An ASA can also import routing information into its routing table from the following sources:

 

Static routes: Routes that are manually configured and do not change.

 

RIP version 2: Routes learned dynamically from other routers running the Routing Information Protocol version 2 (RIPv2)

 

EIGRP: Routes learned dynamically from other routers running the Enhanced Interior Gateway Routing Protocol (EIGRP).

 

OSPF: Routes learned dynamically from other routers running the Open Shortest Path First (OSPF) routing protocol.

 

An ASA can also advertise routes found in its own routing table to other routers running the RIPv2, EIGRP, and OSPF routing protocols. If multiple routing protocols are used, an ASA can even redistribute routing information from one protocol into another.

 

STATIC ROUTING ON THE ASA

Static routes are manually configured and are not learned or advertised by default. An IP subnet defined by an IP address and a subnet mask can be reached by forwarding packets out a specific ASA interface. The packets are forwarded to the next-hop gateway address. By default, a static route receives an administrative distance of 1. You can override this behavior by specifying a distance value of 1 to 255.

 

As an example, suppose an ASA has its inside interface configured for the 192.168.10.0/24 subnet. The ASA will automatically define a directly connected route to 192.168.10.0 255.255.255.0 using its inside interface. In addition, the subnets 10.0.10.0/24, 10.0.20.0/24, 10.0.30.0/24 and 10.0.30.0/24 can be found through gateway 192.168.10.2 located on the INSIDE interface. Because this subnet isn’t directly connected, we can configure a static route to reach it.

 

NETWORK TOPOLOGY

 

 

 

ROUTING VERIFICATION

By default traffic is allowed from interfaces with a higher Security level to interfaces of low security level. This is to say that if static routing is done right traffic from the ICT, HR, FINANCE and procurement in the INSIDE interface of the ASA with a security level of 100 will be allowed to the DMZ and OUTSIDE interfaces which have a security level of 50 and 0 respectively.

 

Also traffic from the DMZ of the security level of 50 will be allowed/statefully inspected to the OUTSIDE interface of the security level of 0. All traffic from low security level towards interfaces of high security level such as from the OUTSIDE (Security level 0) to the INSIDE interface (Security level 100) will be denied regardless of the correct routing done. So in this demonstration we should have traffic from the INSIDE interface towards the DMZ and the outside interface to go through and from the DMZ interface towards the outside interface to go through.

 

In this demo we are going to use a PC in the ICT department to simulate traffic from a higher security level interface towards the DMZ and the OUTSIDE interfaces.

 

PC1 (ICT PC) [From 10.0.10.0/24 to 172.16.0.0/24 {DMZ}]

 

 

 

PC1 (ICT PC) [From 10.0.10.0/24 to 209.165.200.0/24 {OUTSIDE}]

 

 

 

DMZ PC TO OUTSIDE PC [From 172.16.0.0/24 to 209.165.200.0/24 {OUTSIDE}]

 

 

 

STATIC ROUTING VERIFICATION OF THE INSIDE ROUTER

We are now going to see the static routing configuration on the INSIDE router as shown in the figure below.

 

 

 

STATIC ROUTING VERIFICATION OF THE ASA FIREWALL

 

 

 

THE END.

 

 

CONFIGURING THE CISCO ASA AS A DHCP SERVER

NETWORK TOPOLOGY

 

 

 

N.B EVEN THOUGH THE DHCP SERVER IS SHOWN IN THE ABOVE NETWORK TOPOLOGY IN THE DMZ, IT WILL NOT BE USED TO GIVE OUT IP ADDRESSES, INSTEAD WE WILL HAVE THE ASA FIREWALL DO THAT.

 

In some cases, a network might not have a dedicated DHCP server. You can configure an ASA to act as a DHCP server, assigning IP addresses dynamically to requesting clients. The DHCP server can also generate dynamic DNS information, allowing DNS records to be updated dynamically as hosts acquire an IP address.

 

An ASA will return its own interface address for the client to use as the default gateway. The interface subnet mask is returned for the client to use as well. You can define and enable DHCP servers on more than one interface, if clients are located there.

 

As an example in this demonstration, we are going to configure the ASA firewall to issue IP address in the following DHCP Pools/networks.

 

ICT Network:

Network Range: 10.0.10.100 – 10.0.10.254

Default Gateway: 10.0.10.1

DNS server: 172.16.0.5

Domain Name: MOIGETECH.KENYA

 

HR Network:

Network Range: 10.0.20.100 – 10.0.20.254

Default Gateway: 10.0.20.1

DNS server: 172.16.0.5

Domain Name: MOIGETECH.KENYA

 

FINANCE Network:

Network Range: 10.0.30.100 – 10.0.30.254

Default Gateway: 10.0.30.1

DNS server: 172.16.0.5

Domain Name: MOIGETECH.KENYA

 

PROCUREMENT Network:

Network Range: 10.0.40.100 – 10.0.40.254

Default Gateway: 10.0.40.1

DNS server: 172.16.0.5

Domain Name: MOIGETECH.KENYA

 

PC1 is in the ICT Network, PC2 is in the HR network, PC3 is in the FINANCE network and PC4 is in the PROCUREMENT network.

 


 

 

DHCP CONFIGURATIONS ON THE ASA

 

 

 

VERIFICATION ON THE DHCP CLIENTS

 

PC1

 

 

 

From the figure above you can see that PC1 has received its IP address through DHCP from the ASA which happens to be the DHCP server. It has received the correct IP address (10.0.10.100) from the correct DHCP Pool (10.0.10.100 – 10.0.10.254). PC1 has also received the correct domain name which is MOIGETECH.KENYA.

 

PC2

 

 

 

From the figure above you can see that PC2 has received its IP address through DHCP from the ASA which happens to be the DHCP server. It has received the correct IP address (10.0.20.100) from the correct DHCP Pool (10.0.20.100 – 10.0.20.254). PC2 has also received the correct domain name which is MOIGETECH.KENYA.

 

PC3

 

 

 

From the figure above you can see that PC3 has received its IP address through DHCP from the ASA which happens to be the DHCP server. It has received the correct IP address (10.0.30.100) from the correct DHCP Pool (10.0.30.100 – 10.0.30.254). PC3 has also received the correct domain name which is MOIGETECH.KENYA.

 

PC4

 

 

 

From the figure above you can see that PC4 has received its IP address through DHCP from the ASA which happens to be the DHCP server. It has received the correct IP address (10.0.40.100) from the correct DHCP Pool (10.0.40.100 – 10.0.40.254). PC4 has also received the correct domain name which is MOIGETECH.KENYA.

 

DHCP SERVER VERIFICATION ON THE ASA

 

 

 

THE END.

 

 

002. DEPLOYING DHCP SERVICES ON THE ASA

DHCP TOPOLOGY

 

 

 

Client devices that are connected to a network need to use unique IP addresses so that they can communicate. Although a client can be configured with a static IP address, most often it relies on a DHCP server to provide an IP address that can be “checked out” or leased for a period of time.

 

When a network architecture includes an ASA, either the clients have no local DHCP server or the clients can become separated or isolated from a working DHCP server. You can configure an ASA to assist the clients in either of these cases, as described in the sections that follow.

 

THE ASA AS A DHCP RELAY

 

There are times, and most of the times the DHCP server is not in the same network as the DHCP Clients. In such a case we will need the default gateway to relay the DHCP requests from the client to the DHCP server.

 

When a client needs an IP address for itself, it sends a DHCP request, hoping that a DHCP server can hear the request and answer. DHCP requests are normally sent as broadcasts, because the DHCP server address is not known ahead of time. Therefore, a DHCP server must be located within the same broadcast domain as a client. When an ASA is introduced into a network, it might also introduce a new security domain boundary that separates clients from a DHCP server.

 

For example, a group of clients might be connected to one ASA interface, and the DHCP server might be connected to a different interface. By default, an ASA will not forward DHCP requests from one of its interfaces to another. You can configure an ASA to use the DHCP relay agent feature to relay DHCP requests (broadcasts) received on one interface to a DHCP server found on another interface.

 

The ASA does this by converting the requests to UDP port 67 unicast packets. The ASA can also intercept the DHCP replies that are returned by the DHCP server so that the default router address can be changed to become the IP address of the ASA itself.

 

In this demonstration we are going to use Windows Server 2012 DHCP services. SO that is to say that Widows server 2012 will act as a DHCP server in this demo then the Cisco ASA firewall will be configured to relay the DHCP messages between the DHCP client and the DHCP Server.

 

WINDOWS SERVER AS THE DHCP SERVER

 

 

 

As you can see from the figure above there are four DHCP Pools configured in this Windows 2012 server.

 

CONFIGURING DHCP RELAY SERVICE ON THE ASA

 

 

 

TESTING THE DHCP SERVICE

Now it is time to test if the DHCP Service if it is working correctly as expected. In this demo we have four PCs, PC1 in the ICT network, PC2 in the HR network, PC3 in FINANCE network and PC4 in the PROCUREMENT network as shown below

 

PC1

 

 

 

As you can see from the figure above, PC1 has received an IP address from the DHCP server in the DMZ and it has received the correct address (10.0.10.50) from the correct address pool (10.0.10.50 – 10.0.10.250).

 

PC2

 

 

 

As you can see from the figure above, PC2 has received an IP address from the DHCP server which is located in the DMZ and it has received the correct address (10.0.20.50) from the correct address pool (10.0.20.50 – 10.0.20.250).

 

PC3

 

 

 

As you can see from the figure above, PC3 has received an IP address from the DHCP server which is located in the DMZ and it has received the correct address (10.0.30.50) from the correct address pool (10.0.30.50 – 10.0.30.250).

 

PC4

 

 

 

As you can see from the figure above, PC4 has received an IP address from the DHCP server which is located in the DMZ and it has received the correct address (10.0.40.50) from the correct address pool (10.0.40.50 – 10.0.40.250).

 

VERIFICATION ON THE DHCP SERVER

We can now verify that the Windows DHCP server has leased those IP addresses from each DHCP Pool.

 

ICT NETWORK/POOL

 

 

 

HR NETWORK/POOL

 

 

 

FINANCE NETWORK/POOL

 

 

 

PROCUREMENT NETWORK/POOL

 

 

 

THE END.

 

001. INTER-VLAN ROUTING ON THE ASA FIREWALL

 

 

 

Every ASA has one or more interfaces that can be used to connect to some other part of the network so that traffic can be inspected and controlled. ASA interfaces can be physical, where actual network media cables connect, or logical, where the interfaces exist internally and are passed to the network over a physical link.

 

The ASA can be configured with sub-interfaces as you could in the Cisco router using the feature commonly known as “Router-On-a-Stick”. As we will show in this article the ASA can act as a layer 3 routing device and perform many functions a router does. The main focus of this article is configuring the Cisco ASA firewall to perform Inter-VLAN routing between all the four VLANs configured on the LAN which are ICT, HR, FINANCE, and PROCUREMENT.

 

As shown in the following figure, PC1 is in the ICT VLAN while PC2 is in HR VLAN and PC3 in FINANCE VLAN and lastly PC4 in PROCUREMENT VLAN. These four PCs should be able to communicate with one another over the ASA sub-interfaces.

 

NETWORK TOPOLOGY DIAGRAM

 

 

 

And the following diagram is showing the sub-interfaces configured to support inter-VLAN routing on the Cisco ASA.

 

 

 

Now let us look at the corresponding VLAN on the Switch as shown in the figure below.

 

 

 

TESTING INTER-VLAN ROUTING

We are going to now test traffic flowing from one VLAN to another starting from PC1 in VLAN 10 to PC2 (VLAN 20), PC3 (VLAN 30) and PC4 (VLAN 40) as shown below.

 

PC1

 

 

 

PC2

 

 

 

PC3

 

 

 

PC4

 

 

 

 

THE END.

 

 

WELCOME TO THE CISCO ADAPTIVE SECURITY APPLIANCE (ASA) FIREWALL

 

 

 

There has never been a better time to think about security than it is now. You may not have given it much thought but it is now the time not to take anything to chance when it comes to securing your intellectual assets.

 

There are numerous security devices and solutions in the market today for security, so where do you start: The Cisco Adaptive Security Appliance (ASA) Firewall.

 

A security firewall has been a first line of defense for more than 25 years now. The Cisco firewall is one device that literally works magic. Cisco has different ASA firewalls to cater for the needs of all from the Small Office Home Office (SOHO) kind of network to large enterprises and huge service providers. The following list shows you some of the Cisco Next-Generation firewall Appliances available today.

 

1.        ASA 5506-X with FirePOWER Services

2.        ASA 5506W-X with FirePOWER Services

3.        ASA 5506H-X with FirePOWER Services

4.        ASA 5508-X with FirePOWER Services

5.        ASA 5516-X with FirePOWER Services

6.        ASA 5525-X with FirePOWER Services

7.        ASA 5545-X with FirePOWER Services

8.        ASA 5555-X with FirePOWER Services

9.        ASA 5585-X with FirePOWER SSP-10

10.      ASA 5585-X with FirePOWER SSP-20

11.      ASA 5585-X with FirePOWER SSP-40

12.      ASA 5585-X with FirePOWER SSP-60

 

 

WHY CHOOSE CISCO ASA FIREWALL

Cisco systems has been inventing technology since 1985. Cisco has always been the first to invent different kinds of technology long before the standards bodies play catchup. As far as security goes, the Cisco ASA firewall is the most advanced security device ever invented. Cisco Systems is 100 billion light years ahead of its closest competition as I will show you shortly.

 

With Cisco you can be sure that you have made the wisest and safest investment and that your intellectual assets will be adequately protected. And now let us look at the reasons why you need to choose the Cisco ASA Firewall over all the others.

 

REASONS WHY CISCO ASA FIREWALL IS A CUT ABOVE THE REST

 

SUPERIOR MULTILAYERED PROTECTION

Stay more secure. This NGFW (Next-Generation Firewall) has earned the highest security effectiveness scores in third-party testing for both NGIPS and AMP, blocking 99.4% and 99.2% of threats, respectively.

 

SIMPLIFIED MANAGEMENT AND LOWER COSTS

Get visibility into and control over activity across your network. Gain insight into users, apps, devices, threats, files, and vulnerabilities. Extend protection from the data center to mobile devices. It’s all possible with the Firepower Management Center.

 

UNIFIED SECURITY SERVICES AND TASK AUTOMATION

Cisco’s integrated approach to threat defense reduces capital and operating costs as well as administrative complexity by consolidating multiple security services in a single platform. Automate security tasks to increase agility and speed remediation.

 

WIDE RANGE OF SIZES AND FORM FACTORS

Cisco has the platform for you: standalone options for small and midsize businesses, ruggedized appliances for extreme environments, midsize appliances for security at the Internet edge, and high-performance appliances for enterprise data centers.

 

NSS LABS VALIDATION

Cisco NGFW Leads Again in NSS Labs Test: Cisco excels in threat defense, blocking 100% of evasions and surpassing 4 major vendors by 50+ points in security effectiveness. Check out this link for more information. https://engage2demand.cisco.com/LP=5662

 

With Cisco products, you can never go wrong. Start your journey into a secure and safe digital world with the Cisco ASA firewall.

 

Next we go right into looking at the features that make the Cisco ASA firewall the best of the best in the industry and yes, a cut above the rest.

 

 

THE END.

 

 

Go to top