Cisco ASA Basics - Lab1 - Interface Security Levels.mov

superb labs - really motivate me to do some learn - many thanks

lonkow

Thanks for the feed back. I'm glad they're helping.

CovertSecOps

Thank you for posting these videos; they really help a lot!! By the way, may I know what software you use in the video? Is it the Cisco packet tracer?

aquacavalier

@czbdm0 The ACL was applied to the DMZ interface in the inbound direction. So traffic coming into the DMZ interface has to be allowed by the DMZ ACL. It doesn't matter what interface the traffic is going to exit as we don't have ACLs appied in the outbound direction on any other interface. You can apply ACLs in the outbound direction but we didn't do that here. The DMZ ACL overrides the security level. So if traffic coming into the ASA on the DMZ interface matches the ACL, it will be allowed.

CovertSecOps

In most cases. Admins only create one ACL per interface and apply it in the inbound direction. Think of it this way. You are the ASA. Your left arm is the inside interface and your right arm is the dmz interface. Traffic coming from dmz to the inside, must be allowed by the ACL applied to the dmz (your right arm) in the inbound direction (into the ASA - your body). Now it's in your body. It leaves (outbound) the ASA on the inside interface (your left arm). There's no ACL on your left arm. CSO

CovertSecOps

Hi, yes this is all on gns3. i've never tried an asa with newer version than 8.2. sorry, i don't know anything about macs. thanks for watching.

CovertSecOps

@volcer

Hi there,

I'm using GNS3 to make these vids. Not Cisco's packet tracer. You can find it at gns3.net.

CSO

CovertSecOps

thanks CSO
how bout doing full video on routing protocols on ASA
also if u cud NAT tutorials with ASA in detail it wud be helpfull

hrishikeshkshirsagar

Hi hrishikesh kshirsagar,

There's no routing protocol here. Routing is all static. There really isn't much to do routing wise. Make sure you have all routes in place statically.

For logging. Use "loggin level debug". And enable terminal monitoing with "term mon"

CSO

CovertSecOps

Sorry for the late reply. Increase the logging level. use... "logging level debug". And if you're not connected via console port, don't forget to use... "term mon"

CovertSecOps

hii
its superb video series highly educational
however have one issue
have u used any routing protocol on ASA and all routers coz wen i try to ping from PC1
i am getting no route found
also how do we enable logging i cant see the logs as u get as well

super thanks for the tutos

hrishikeshkshirsagar

and make sure that the PC has a default route pointing to the FW1 inside interface.

CovertSecOps

I'm not sure how you've set things up. But here's what you need in a nut shell.

ASA
int inside 10.10.10.1 255.255.255.0
int dmz 10.10.20.1 255.255.255.0

Inside PC
ip address 10.10.10.100 255.255.255.0
ip route 0.0.0.0 0.0.0.0 10.10.10.1

DMZ PC
ip address 10.10.20.100 255.255.255.0
ip route 0.0.0.0 0.0.0.0 10.10.20.1

Make sure that the subnet mask on the ASA interfaces and the PCs are all the same. You don't need routes in the ASA because the inside and DMZ subnets will be directly connected.

CovertSecOps

I have the same concern at csbdm0. Don't you have two inbound interfaces that must allow the data in? The first inbound is from DMZ-host into the DMZ interface. The second is from DMZ interface into Inside interface. Since we did not touch the Inside ACL, it should make it into DMZ, but not past Inside interface. If not, what am I missing?

MrJimmychern

Its superb video series about ASA FW. I am doing this lab in GNS3. When I telnet internal network from dmz network at port 80, it says "connection refused by remote host". I am doing this in a similar fashion as u have done in your video. What is the reason. Kindly reply. Thanks

ashar

how did you make the firewall icon in pacet tracer ?

volcer

Just started learning about firewalls. I understand the LAN is security 100 and the DMZ is 50. What I dont get is you put the ACL of ip any any on the DMZ interface ? This will allow the traffic inbound, but will the interface of the LAN being 100 then block it. ( Or are we saying that the security 100 or 50 is for inbound traffic only ) If it is, then traffic inbound from the internet is set at security 0, so all traffic can enter...araghhhh someone help before my head

czbdm

Another thing. Is your FW a PIX? What are you using. If you are going to present something and really help those trying to learn, then make sure you let everyone know what the heck you are using for all of your objects

sisqokid

HI CSO,

i configured it exactly as given in the post

but can u tell me wat is configuration on INT_SW

i still cant ping from pc to asa

hrishikeshkshirsagar

ehhh I have my loggin enabled but I am not getting any of the cool stuff you are getting...what else to I need to turn on?

PlainCheesePizza